Customer Reviews

Hacking: The Next Generation (Animal Guide)

5 star:		(13)
4 star:		(2)
3 star:		(2)
2 star:		(0)
1 star:		(0)

 

 

I'm always skeptical about books that propose to cover such a vast spectrum of subjects, the book in question however does a wonderful job at explaining in plain english what is happening behind an attack, it unveils the possible motives and end result, and I personally found it a superb manuscript on what is happening today in the fields of hacking and social engineering.

On a more technical side it covers XSS attacks and blended exploits, again in plain english. Though the authors also throw some code in there to keep the techiest of us entertained, personally I found the inclusion of code somewhat unnecessary. 'Plain english' would suffice especially because I found that this would otherwise be the perfect book to hand to someone less techy who wants to know what is happening out there in the wild and to some extent what they need to look out for if they intend to be security conscious. Could they ignore the code? sure! will they? depends on the individual and his/her aversion to programming. It still keeps its five stars though, I cant fault a book for having too much information. The book also covers phishing attacks, that chapter was a very worth wile read. I hold no interest or curiosity in phishing attacks and after reading it I was surprised on what I had learned.

The chapters on social engineering and information gathering were very interesting as well. The authors made a clear effort to mention current online tools that attackers can use to acquire information on a target (may that be a person or a corporate entity) and go into deeper detail on how such an attack can develop into face to face contact with a target. The way the book is written makes it feel like a story, like one attack unfolds into another and that is really why this book is such good fun to read.

If there's something I can fault in this book its really its life span. You have to get it now for it to matter. In 2 years time all this will be old, stale news and at the speed things change in the IT/IS world its really quite inevitable. Social engineering will always be social engineering but the tools used to gather information will surely change.

I've read my share of hacking books over the years, and usually most of the books focus on the same topics... pointer overflows, brute force password hacks, etc. But with all the movement towards Web 2.0, the Cloud, and social networks, is it possible that hacking vectors have shifted somewhat into areas we don't normally worry about? After reading Hacking: The Next Generation by Nitesh Dhanjani, Billy Rios, and Brett Hardin, the answer is definitely yes. There's a whole new series of things to worry about, both from a corporate and a personal level.

Contents:
Intelligence Gathering: Peering Through the Windows to Your Organization
Inside-Out Attacks: The Attacker Is the Insider
The Way It Works: There Is No Patch
Blended Threats: When Applications Exploit Each Other
Cloud Insecurity: Sharing the Cloud with Your Enemy
Abusing Mobile Devices: Targeting Your Mobile Workforce
Infiltrating the Phishing Underground: Learning from Online Criminals?
Influencing Your Victims: Do What We Tell You, Please
Hacking Executives: Can Your CEO Spot a Targeted Attack?
Case Studies: Different Perspectives
Chapter 2 Source Code Samples
Cache_Snoop.pl
Index

Yes, the deeply technical hacks still exist, the ones that rely on badly coded software to gain privileges you aren't granted. But in some ways, the hacks are getting easier, or at least more available to those who are not hardcore techheads. Take for instance, blended threats. This is an interesting concepts that shows how interconnected software environments have become. In the example they use, Microsoft had a minor vulnerability in XP and Vista, while Apple had a minor vulnerability in their Safari browser. Both vendors didn't feel that either item was critical. That changed (at least for Microsoft) when someone used the behavior in Safari running on Windows to place a dll file on the Windows desktop. This dll file was then used by IE7 when starting up, overriding the use of the real dll in the proper Window directories. You can imagine how this would lead to "undesirable consequences."

And if that's not enough, imagine the potential of hacks in the Cloud. The authors show how one could hack an administration console to a Cloud provider, allowing someone to modify a number of parameters of a Cloud account. Or... if your attack target runs on the Cloud and is charged based on bandwidth and CPU, imagine what you could do to this target if you were to launch a distributed denial of service attack using the Cloud as the attacking client. The resources are almost limitless, and the target will get hit with charges that escalate at an incredible rate. Not a comforting thought if you've trusted your business to "the Cloud"...

I also noticed that more and more, hacking is not so much about taking over hardware as it is about getting a pipeline to timely information. For instance, more and more people are using shared and public calendars to manage their daily work. It's not uncommon to be able to search and find conference call details that aren't removed from the entry. If you find this info, it's very possible that you can call in to the number, remain on mute, and pick up vital information that can be of value to you or other companies. This type of hack isn't technical in the least. It's just a mix of Google searching and ignorant/non-cautious users.

I'd really recommend Hacking: The Next Generation to my fellow techies. More important than learning new ways to mess with each other's minds, it will expose you to a number of new attack vectors that you may not have considered. And in most cases, simple awareness of those new vectors is enough to allow you to start to defend against them.

Disclosure:
Obtained From: Publisher
Payment: Free

This is a great read if you are interested in understanding what types of things make your systems and identity vulnerable to hacking. I basically read it cover to cover in a single sitting, I could not put it down. This is not a book that tells you how to secure your systems against various threats, but rather explains in detail how threats arise and how they are exploited. If you are a software professional interested in building secure systems or just interested in how to protect yourself online I highly recommend this book.

Hacking The Next Generation

This was a very well written book. The authors did a great job of mixing technical and non-technical attack vectors. I felt the flow of the book was very well done, keeping the reader engaged the entire time. The authors gave enough information on each topic to get you started, but did not inundate you with the minute details that can get overwhelming. In many chapters of the book the authors use scenarios to relate the reader to a topic. This method helped me grasp a few of the concepts that may have otherwise taken a second or third read.

In most of the sections that described technical attack vectors the authors gave links to tools that would help the reader perform that specific attack. Not only is this a great way to help the reader increase their tool set, it allows the reader to put into practice what was just read.

Chapter 2: Inside-Out-Attacks is an example of how every technical topic should be taught. The authors used scenario based writing mixed with technical details that really help the reader grasp the concept. Again, these are not littered with enough technical detail to understand in-depth how these attacks work, but they will give you a general understanding of each topic.

Chapter 7: Infiltrating the Phishing Underground was my favorite in the book. The author did a great job of relating how the underground works, how you get in contact with people, and how the act of phishing transpires. I was amazed to read how templates are shared, how they are put in place, and how the phishing crowd feel about each other.

Chapter 5: Sharing the Cloud with Your Enemy was not really what I expected. I was hoping to hear of some new attack vectors, but didn't seem to get that. It was a great reminder of the risks to companies that use shared resources, and allow other administrators to control those resources, but this all seemed like common knowledge.

Overall this book was great. The content seemed very fresh, and where it was overlap from previous readings the authors seemed to put a new spin on old ideas. If you are looking for a book that will teach you step by step how to hack a website, or steal some credit cards, this book is not for you. This book is a great overview of multiple attack vectors, giving broad overviews of each one.

Wayne Gipson, CISSP, CISA

This was a good book, but written from a very high level. Much of the materiel presented is right on topic, but they cover quite a lot of it for such a thin book. I was a bit disappointed in the level of detail when I was reading through, but I guess this is a problem with my expectations not being set correctly, rather than anything that the authors did wrong. So overall a good read, but I wanted more detail.

It's almost cliché to talk about how quickly things change in the IT world. When you're talking about IT security, though, "quickly" is an understatement. Why, then, do many of today's "hacking" books seem like they might have been written in 1999? Attackers have progressed beyond the scan-and-exploit phase; shouldn't your understanding of the threatscape evolve to match?

That is precisely the premise of "Hacking: The Next Generation." In fact, the title is a bit of a misnomer. It's not talking about the next generation of hacking at all; it's talking about the *current* one, albeit a generation of hacking that many security organizations haven't caught up with yet.

I first saw this book in the store, and a quick glance through the Table of Contents got me pretty excited. I saw topics like mobile security, the phishing underground, targeted attacks against company executives and (the big selling point for me) attacks against cloud computing. In fact, I was so excited to read it that I ordered it from Amazon on the spot, through my phone. After having read this book, I can say that it lived up to most of my expectations.

First off, this is a book about high end attackers, professionals who select their targets carefully, do their research and have a clear goal in mind. The authors' focus seems to be primarily organized crime, but they also cover motivated insiders and to a much lesser extent, nation-state actors. Collectively, these types of attackers are known in the trade as "Advanced Persistent Threats", or "APT".

Secondly, I really liked the fact that the book emphasizes what I will call an intelligence-based approach. APT is notorious for doing their homework and uncovering a shocking amount of information about their targets before the attack itself ever even begins. It's appropriate, therefore, that the book begins with a chapter on information gathering via search engines and other public sources. It also has an entire chapter describing how an attacker could use this public information to identify likely targets in an organization and map out their social and professional connections to identify potential weaknesses to exploit via social engineering.

One of the standout chapters was Chapter 5 ("Cloud Insecurity: Sharing the Cloud with Your Enemy"). There are many definitions of "cloud" computing, the this chapter picks two leading examples (Amazon's EC2 and Google's App Engine) and discusses how these services work and several ways an attacker with access to these same public clouds could begin to attack systems deployed there. Even if you have no experience with cloud computing, this chapter provides enough background to allow you to understand and evaluate the risks that the authors bring to light.

There are a few areas for improvement in this book, though, that kept me from being able to assign a full five stars to this review. For a book about the "next" generation of hacking, many parts read like they could have been written 5, 10 or even 15 years ago. Chapter 3 ("The Way it Works: There is no Patch") discusses password sniffing, email spoofing and ARP poisoning, all techniques that are over a decade old. Although they are still seen in the real world, each of them has been covered better elsewhere. This chapter is just a glaring anachronism compared to some of the others, and it detracts from the "Next Generation" focus in a very distracting way.

Chapter 6 ("Abusing Mobile Devices") is also pretty weak. In a "Next Generation" chapter on mobile devices, I expected to see coverage of iPhones, BlackBerries and other popular smart phones. Instead, the authors' chose to focus on laptops and insecure Wi-Fi access. If you really want to know how to spoof an access point to read someone's email in the local Starbucks, I'd suggest buying another book that covers the topic in more detail. As it is, I was very disappointed that the authors chose to waste space on this topic when there are much more modern techniques being used in the real world.

Overall, "Hacking: The Next Generation" is a solid overview of the techniques used by some of today's top threats. It provides a good overview of the kind of intelligence-driven attacks you're likely to see from APT. Although parts of this book seem like they're looking backwards rather than forwards, the rest of the book more than makes up for those flaws.

This is quite a strange book, because on the one hand it is quite technical in listing sample code, and assuming base knowledge. On the other hand it covers some really basic things in great deal, while glossing over some things with phrases to the effect of "the attacker now has access to the entire organisation's mail", when really, they wouldn't.

So there is a fair bit of fear mongering, but not because they are wrong so much as because they are skipping some steps. That, to me, seems a fatal flaw, because the technical people would say "yeah ... ok, if I assume you are as good as you claim to be", and the non-technical people are thinking this is Harry Potter, because there were some arcane script(ure)s and then stuff went very bad.

I'd say that to most technical people with a slight security focus there is nothing new in here. To the non-technical or non-security people though, who the text (not the code) is (should be) aimed at, various bits will be very off-putting. Especially the code and the jargon.

Also, this title fails to appreciate that successful attacks are not just down to people being in a rush and warning messages not being user friendly. Granted, their analysis of phishers is a great read, but I don't think it will be read by the right people. Technical aware people already know they are mostly muppets, and non-technical people won't get the joke because it is buried in php code.

One saving grace, which sadly is too little (one short chapter) and too late (last chapter), are the two case studies that conclude the book. The two case studies highlight first a very effective but non technical attack, and then rather technical attack which does feature a bit of code, but not terribly so. I guess the prior chapters were needed to lay the foundation, but even then, I fear that non-technical readers would be put of by the technical attack's code. Though in this case the code dumps are much more illustrative and far less technical. Problem is though, most non-technical reads would probably not have made it this far.

In the end, this is a very light read to security/IT aware that reminds one of the basic techniques and a missed opportunity to become aware to the unaware. Who then benefits from this book in its current form? Probably junior IT staff and Security researchers for a good introduction ... to junior IT staff. Non-IT staff are probably better off with Secrets and Lies: Digital Security in a Networked World which is aimed at managers more than anything, technical people probably already know where to look (if not check out Bruce Schneier's free news letter at [...] ).

First Impressions...skinny book. Strike One. Chapter 1 -- "Intelligence Gathering: Peering Through the Windows to Your Organization" spends a lot of time on physical security and social engineering and no mention of Maltego. I'm not sure how anyone can write a book on Intelligence Gathering and NOT include Maltego. Strike Two.

At this point i was thinking I had a dud on my hands BUT Chapter 2 --- "Inside-Out Attacks: The Attacker Is the Insider" redeems. Tons of code and examples to make XSS work in "realistic" scenarios mix the right amount of tech and narrative. My only gripe was that they talked about using XSS shell for XSS exploitation instead of using BEeF which is actively maintained and developed.

All the other chapters (except for Chapter 3) were very good, none of the others are as technical as chapter 2 but I believe they cover the current trends in a entertaining and readable way. Like one reviewer mentioned the information covered in Chapter 5 -- "Cloud Insecurity: Sharing the Cloud with Your Enemy" was not what I expected. It covered high level "possible" attacks versus any "probable" attacks. With the exception of possibly making insecure VM's and getting people to run it. Chapter 7 -- "Infiltrating the Phishing Underground: Learning from Online Criminals?" was a "chapterfied" version of the authors talk on the subject. Chapter 4 -- "Blended Threats: When Applications Exploit Each Other" was a good overview of stringing vulnerabilities that would be/were not considered high risk into high risk issues by combining one or more together which actually is "next generation".

Chapter 3, IMO didnt cover anything new. Mostly a discussion of insecure protocols, arp spoofing, email spoofing. While still a relevant issue in security not "next generation".

"Be prepared, not scared" says one of the review quotes on the back of the book which I thought was really appropriate since this is a rather scary book. Scary in the number of vulnerabilities that systems have which may be completely open to attack if you are not aware of the attack methods that ths book describes so that you can prepare a defence against them.

Given the size of the book, it covers a large range of different aspects of modern computer security with loads of useful information on how information can be gathered from a variety of sources in order to be able to breach the security of other systems. What is particularly interesting is all the vulnerabilities that it covers which by themselves do not appear to pose much risk but which when combined together represent a huge risk.

In the hands of someone attempting to break into computer systems this book provides a whole lot of useful information in one place (but which probably could have been pieced together from other sources anyway). The benefits to those attempting to secure those systems against attack are even gtreater though. The attacker only needs to find enough information to be able to work out one way that they can successfully break into a stsyem and so would only need to use a small part of the information in this book to break into an unprotected system. They could easily obtain that small amount of information from elsewhere. The defender though needs to defend against all possible attacks and so having all of this information readily available in the one book is of great benefit to them.

It's still scary just how easy many of the attack methods the book describes are but the first step in defending against attack is identifying ways in which an attack might take place so as to prepare a defence and this book will greatly assist with this.

The core audience for the book is probably best defined as I.T. professionals in charge of protecting large systems, corporations or institution, but the nature of the book also makes it valuable for simply those wishing to be better informed on the threats of hacking. The reference to "...The Next Generation" in the title is to hackers who primarily use Web 2.0 functions to accomplish their intrusions. One of Dhanjani's primary arguments is that the "perimeter defense," that is, trying to block all possibly malicious intruders at the firewall, while obviously still necessary, has basically been superseded by new applications and new platforms. This is particularly true within the "cloud," virtual servers created in other people's digital space, such as Google or Amazon's vast server aggregations.

One of the delights of the work is that the authors are splendid teachers. Some works of this genre present the material choppily broken down into segments: horror stories, fixes, sites you should visit, annotated list of tools which are probably already outdated, etc. This text is fully integrated, you get the information you need to know in plenty of time to take your level of understanding up a notch, and if you decide to bail off the learning curve as it rockets skyward, you still feel that you accomplished something.

The careful integration and layering of the text means that the book is highly useful for those who despair of ever walking the I.T. walk but desperately need to occasionally decipher the talk, if not actually talk it. If you should worry about the security at your operation, then you probably should read the book just to be sure that those upon whom you depend are aware of the new generations of threats.

For a full review see Interface Volume 10 Issue 3.