Customer Reviews

Spies Among Us: How to Stop the Spies, Terrorists, Hackers, and Criminals You Don't Even Know You Encounter Every Day

5 star:		(10)
4 star:		(4)
3 star:		(3)
2 star:		(1)
1 star:		(1)

 

 

Spies Among Us is in many ways similar to Winkler's previous book, Corporate Espionage. It describes threats and vulnerabilities, gives case studies of attacks and penetrations (some malicious by miscreants, some as part of his own testing), and offers countermeasures and lessons learned.

The book is divided into three parts--Part I is on "Espionage Concepts," which describes the intelligence process, forms of information, risk equations, how security's components are confidentiality, integrity, and availability, how to measure asset values, and so on. Part II is "Case Studies" and is the most interesting and original portion of the book. Part III is "Stopping the Spies," about specific vulnerabilities and countermeasures.

As in the previous book, Winkler's advice is sound and the case studies are interesting. Unfortunately, much of the book duplicates the prior book and other books in the field, which is part of why it took me three months to get through this book--I got hung up in Part III, which was mostly old hat.

What I found most disappointing about the book beyond its lack of novelty were two features: first, that there were frequent errors and omissions which seemed a display of either lack of research or carelessness; second, that Winkler takes many opportunities to tell the reader that he's involved in important things, but without showing the evidence for it.

Examples of the first include not only simple things like typos that should have been caught by the editor (p. xv "phased" for "fazed", p. xvi "over" for "cover"), but factual errors. On p. 55 he writes of the 1996 blackout of "nine states of the Pacific Northwest." There aren't nine Pacific Northwest states, and there were two Western U.S. 1996 blackouts caused by power lines sagging to trees, an Idaho/Wyoming line on July 2 affecting 14 Western states and a California line on August 10 affecting states from Oregon to Mexico and Texas.

On p. 78 he gives estimates of the number of people with various hacking skills which appear to have been pulled from a hat; I suspect his estimate of 100,000 people capable of developing hacking tools from knowledge of vulnerabilities is a substantial underestimate.

On p. 81 he claims that, contrary to other countries, the U.S. government intelligence agencies don't pass information back to U.S. companies. While this is official policy, counterexamples may be found (e.g., the book Friends in High Places discusses information flow in both directions between the CIA and the Bechtel corporation in the Middle East).

On p. 143, Winker writes that "There has supposedly been only one day zero attack, which is an attack that exploits a vulnerability that was not previously reported and known." No reference (though I suspect he's referring to a successful 2003 attack on Microsoft IIS against the U.S. Air Force prior to the March 13, 2003 release of MS03-007), and surely false, if by "reported" he means reported to the general public, e.g., via a published security advisory.

Omissions include his discussion on p. 93 of Israeli intelligence actions against U.S. corporations, where he says "an Israeli telecommunications [company, sic] acquired a U.S. domestic carrier" and "now has control and access to the phone lines of many companies," but doesn't name the company. Why not? Isn't this something of importance for U.S. companies to be aware of? (Perhaps he is referring to Verint, formerly Converse Infosys.)

Similarly, on p. 94 he writes that "There are also the recent charges of a Pentagon official who passed classfieid documents to Israel through a political lobbying group," but omits any details, even though these charges against Lawrence Franklin, who worked under Douglas Feith at the Pentagon, were well known (and Franklin has since confessed).

On p. 95 he writes of a German intelligence project, Project Rahab, that "one of [its] major reported successes includes infiltration of the SWIFT system, which is one of the world's major financial networks." Again, no references--in this case, the allegation probably comes from Timothy Haight's article "High Tech Spies" in the July 5, 1993 issue of Time magazine (p. 24), regarding the BND (German intelligence) use of a virus written by Chaos Computer Club member Bernd Fix. According to Fix (search the web for Rahab, SWIFT, and Bernd Fix and you'll find his commentary on this), there have been a lot of wild claims made, and he can't vouch for any of them. Any of these omissions could have been elaborated on and made the book much more interesting.

Winkler's self-aggrandizing can be found at a number of points throughout the book, such as on p. 84 where he writes that a small literary agency can represent people "some of whom (such as myself) have access to sensitive information." My favorite example is on p. 121 under the heading "personal aggrandizement," where Winkler writes that "An individual's desire to impress others has caused some of the biggest security problems in history." In the very next paragraph, he writes, "As I mention in the Introduction, one of my female friends was a CIA operative who posed in Playboy magazine."

Still, the book is worthwhile for a solid collection of vulnerabilities and countermeasures if you don't already have one, and the case studies are enjoyable (some of which are from Winkler's direct experience, others of which are reports of cases which have been reported on elsewhere, such as Alexey Ivanov in chapter 10 and Abraham Abdallah in chapter 11). One weakness of chapter 13 ("Taking Action", about setting up a security program and implementing countermeasures) is that it gives short shrift (p. 304) to measurement of effectiveness and the security life cycle.

Read this book to appreciate what is (or should be) keeping your Information Security Manager awake at nights, and to understand what he/she probably wants (or ought) to do about it.

Ira learnt his trade working for the US National Security Agency. His spooky background provides a somewhat disturbing undercurrent throughout the book but this is neither a James Bond training manual nor a shock horror exposé of the murky world of spies. It is in fact a very broad exposition highlighting the urgent need for all organizations to implement suitable information security controls.

Chapter five "How the spies really get you" should be compulsory reading for all managers. In less than fifty pages, Ira explains how virtually anyone in or associated with the average organization may represent a vulnerability, some more than others. I challenge any experienced manager to read this chapter without thinking about probable weaknesses in their own organization, perhaps even in their own departments.

If chapter five piques your interest, I guarantee you will enjoy the rest of the book. The previous four chapters set the scene, explaining that information security is far more than simply a matter of implementing system/network access controls. The next six chapters (part II of the book) present compelling case studies built (we are told) around genuine real-world situations. Ira is known for describing attack methods quite explicitly, meaning that having read the case studies, you will be in a similar position to those who actually committed these attacks. Each case concludes with a description of the vulnerabilities exploited.

The final two chapters (part III) attempt to redress the balance by explaining how to address the risks presented in the rest of the book and so `stop the spies'. Given the broad nature of the threats and vulnerabilities described in parts I and II, it would be unrealistic to expect to get a complete set of answers in just two short chapters ... but that would miss the whole point of the book. Part III gives an overview of the main elements of most information security programs. In one, two or occasionally three paragraphs, Ira explains what the average Information Security Manager actually means by concepts such as single sign on and defense in depth.

This book should provide a wake-up call to complacent managers who feel their organizations are somehow immune to industrial espionage, social engineers and even terrorist infiltration.

So just how safe are you and your company/organization? My guess is, not very. Spies Among Us by Ira Winkler will definitely drive home that fact...

Contents:
Part 1 - Espionage Concepts: How To Be A Spy; Why You Can Never Be Secure; Death By 1000 Cuts; Spies And Their Friends; How The Spies Really Get You
Part 2 - Case Studies: Spy vs. Spy; Nuclear Meltdown; Fill'er Up!; The Entrepreneur; The Criminal Face Of The Internet Age; Crimes Against Individuals
Part 3 - Stopping The Spies: Taking Control; Taking Action; Index

Winkler is someone who does "attacks" for a living. He routinely is hired by companies to do threat assessment on their systems and locations, and unfortunately he is often successful with far too little effort. These assessments could be just a simulated attack to gain access to secured locations and systems that could then be compromised, clear up to security of nuclear facility information and terrorist attacks on fueling facilities at airports. It's that last one that is scary, in that it was done in a post-9/11 environment, and went off without a hitch. We're just not in the "security mindset" in most cases.

But rather than just go on about how easy it is to hack and crack systems, he also offers plenty of advice on how best to build a security program that is effective (both from a cost and result perspective). Each of the case studies ends with a summary that shows how something like this could happen, as well as what vulnerabilities were found and exploited. That piece by itself would be worth the cost of the book. But the final two chapters are where you'll benefit most. Winkler covers a multitude of counter-measures (personnel, physical, operational, technical) that can be implemented in order to have a more secure environment. The final chapter then explains how to implement a comprehensive program based on the value of your information and the amount of risk present. Rather than just saying "do this, this, and this", you get a customized approach based on your own unique situation. Really good stuff...

As he states early on in the book, there's no way to be 100% safe and secure. But you can do far more than "hope for the best". This is the book that can help you understand just how dangerous things can be and how at risk you are...

Ira Winkler's "Spies Among Us" finally cleared my head on the subject of ... oooh, so horrible ... " cyberterrorism." Intuitively, when you read about "cyberterrorism" you instantly think "what a load of bull", but the amount of press and "research" that you see coming about it, makes one wonder. As a result, I was somewhat confused about the subject. Until now! Ira's book finally cleared it: at this stage, "cyberterrorism" is positively, absolutely, 100% "bull product." Here is why: computer failures are an accepted thing. "Everybody knows" that computers "are flaky", and might crash at any time, taking your work (or a billion-dollar Martian probe :-)) with them. Thus, computers do a pretty good job damaging themselves and things around them, and, thus, people will not be terrified if it happens due to malicious actions by whatever cyber-terrorists. Now, the above obviously doesn't cancel the use of computers and the Internet by the terrorists, but this is not what is commonly understood as "cyberterror."

So, the book is fun! The book starts from "espionage concepts" and continues on to case studies (the most fun part!) and countermeasures parts.

"Spies among us" also highlight some commonly overlooked truths in the security arena, such as that users' errors are more damaging, in aggregate, than all the malevolence of all the spies in the world. Acts of God, not "hackers", run a close second. Also, the section on countermeasures really stresses the point that many a sophisticated attack was ruined by the simplest countermeasures, applied deliberately and consistently.

Among other things, I loved the insider profiling bit, where the profile of the hardest working employee matches that of a "typical industrial spy." I also liked his country by country espionage coverage, such as how are Russian spies different from Chinese spies :-)

Overall, while the book clearly aims at a non-technical audience, even seasoned security professionals will benefit (or at least will have fun reading it), if not from the information, but from reliving Ira's experiences ("Can your organization be penetrated THIS way?"). Everybody related to security (and many who are not) should get the book!

Dr Anton Chuvakin, GCIA, GCIH, GCFA is a recognized security expert and book author. In his current role as a Security Strategist with netForensics, a security information management company, he is involved with defining future features and conducting security research. A frequent conference speaker, he also represents the company at various security meetings and standard organizations. He is an author of a book "Security Warrior" and a contributor to "Know Your Enemy II", "Information Security Management Handbook" and the upcoming "Hacker's Challenge 3". Anton also published numerous papers on a broad range of security subjects. In his spare time he maintains his security portal at info-secure.org and two blogs.

In the first couple of chapters, I realize that this is not a novel of spy vs.spy, but an actual resource book that makes 100 % sense.
Mr. Winkler is speaking from experience and his background denotes a lot of it. I was very impressed with his style of writing and the material he covers. If anyone wants a career in Computer Security or Information Assurance, this book is a definite MUST READ and MUST HAVE in your library.

I come from the enterprise/corporate security world. Ira understands the spook side of security where budgets are greater, time more plentiful and stakes quite high. A good read.

This is an excellent book and it reads well. Since I have worked in some of the arenas the book presents I can relate to the subject matter. The book raises a lot of questions about our cyber infrastructure and our personal privacy.

In Spies Among Us, author Ira Winkler continues his unique knack for writing on deeply serious topics using his characteristic light and very readable style. This is what makes Winkler different and results in most readers either loving or hating his books. I count myself among the former group. As a long-time security professional, I consider Ira Winkler's work refreshing and informative.
Throughout the book, Winkler restates some of his pet phrases from his earlier books; but that is simply an indication that he has some very important points to make. What is new in Spies Among Us is the very relevant theme: "Relax - it's not terrorism...but does that really mean it's okay?" Winkler effectively uses this theme to demonstrate that public perception has changed since the terrorist attacks of September 11, 2001. Whenever a large scale incident occurs (e.g., a power outage, computer virus, plane crash, etc.), our first thought now is "terrorist attack." Once we learn that the incident was not terrorist-related, we seem to breathe a collective sigh of relief and say "oh good...no big deal." However, large-scale non-terrorist-related attacks are far more likely to affect our everyday lives - and affect us in a big way, if we are not properly prepared for them.
Everything from industrial espionage to natural disasters, from malicious computer attacks to major accidents, and from the identity theft epidemic to Internet scams can have a significant impact on our assets - as individuals, corporations, communities or government entities. We must not dismiss threats simply because they are not terrorist threats.
Through real-world case studies, examples and experiences, Winkler walks the reader through questions such as "who are the adversaries," "how do they target us," and "what can we do about it?" Chapter 13, the final chapter, is appropriately titled: "Taking Action." As the author implies, all the knowledge in the world about threats, vulnerabilities and available protective measures is useless unless you do something about it. In the closing chapter, Winkler lays out a practical starting point for developing a common sense approach to protecting critical assets.
Like most of Winkler's previous books, Spies Among Us strikes a perfect balance between a traditional security book (practical and useful, but also dry and tedious) and a spy novel (exciting, interesting and fast-paced, but not "real"). This book is the real thing and is packed with information that will appeal to a wide ranging audience - from security pros to novices, to people who simply want to enjoy an interesting read.
One of the things I respect most about Winkler is that he is one of the very few IT Security experts around the world who truly appreciates the full spectrum of comprehensive security risk management. He doesn't demonstrate the typical tunnel vision of IT Security types who view the entire universe through the eyes of a network connection and believe that the only valid solutions are techie solutions. Winkler takes a "big picture" approach that truly results in effective risk-based assets protection - not just a "feel good" solution. In my opinion, Spies Among Us is clearly another winner from the pen of Ira Winkler, a true professional who knows what he's talking about.

This book is sort of like the how-to or nuts & bolts book to serve as a companion to Kevin Mitnick's The Art Of Deception. Winkler explains how the spies, terrorists or other malcontents of the world are able to penetrate network defenses and compromise apparently "secure" networks to gain access to sensitive and confidential information.

The book may be targeted primarily at information security professionals, but in my opinion that is short-sighted. The value of a book like this- one that demonstrates the ease with which information can be social-engineered from naive people- should be shared with the masses so that they develop an awareness and can help to combat such attacks.

Spies among us provides an excellent look at the methods and techniques that can be used to exploit and infiltrate a government or corporate network, but more importantly Winkler provides a number or tools and techniques that the reader can apply to help prevent such attacks.

Some of the information may be too technically "deep" for an average reader, but most of the book is fairly easy to read and the "cloak and dagger" stories may be appealing, if not frightening, to just about any reader.

Definitely worth reading for just about anyone.

[...]

If you already own Corporate Espionage, save your money. If you don't own Corporate Espionage, buy it instead of Spies Among Us. Large sections of this book seem to be copied and pasted from Corporate Espionage (literally), with the exception of the case studies. Except instead of the eight case studies covering 130 pages that were in Corporate Espionage, this book has only six case studies covering less than 75 pages. This is inexplicable considering that Mr. Winkler repeats several times throughout the book how highly regarded the case studies were in his previous work... so this time instead of giving us more he gives us less. I guess he needed those pages to talk about how he steals billions of dollars from companies every day (I think he repeats this several times, although since he couldn't come up with any additional case studies I wonder if he hasn't spent the intervening years talking about it rather than doing it). We also gain a chapter on "Crimes Against Individuals" which is so clearly out of place in a book that is essentially on corporate espionage, that I'm not sure how the editors didn't cut it. I half way suspect that they asked him to include it, in which case I'm not sure why he didn't object. Either way someone should have axed it. Needless to say I was disappointed in this sophomore effort from Mr. Winkler, since his first book is one of my favorites. If you absolutely can't find a copy of Corporate Espionage, this book is probably worth 4 stars... but in comparison I can only give it two. To put this review in perspective, I'm a Sr. Information Security Analyst for a Fortune 50 company, protecting billions of dollars worth of information every day.