Customer Reviews

Stealing the Network: How to Own the Box

5 star:		(17)
4 star:		(13)
3 star:		(1)
2 star:		(2)
1 star:		(0)

 

 

As an admitted Slashotdot-reading, command-line geek, I looked forward to this book, but as a finicky reader and former English Lit major I was skeptical. Turns out it's great on both levels: as a topical, informative text and as a downright compelling collection of short thriller-type stories.

For those who have some familiarity with the subject matter, this book rings completely true and for those who do not, it's still fun and understandable.

It's an expensive book, so I waited a while, but in retrospect it delivers on the high price. Unlike most of the novels I read which wind up on my living room shelves for a while or are passed along to friends, this one wound up on the reference shelf in my computer room along with other network security books (and with a few post-it bookmarks sticking out to boot).

If you are hesitating because of the price or are worried that the writing will disappoint, I can assure you that you will be pleasantly rewarded for your investment. Best thing I've read in the genre since Stoll's superb "The Cuckoo's Egg."

I saw this book on the shelves and started flipping through it. Next thing I know it was a half hour later and I was still sitting on the floor with the same book in my lap.

In particular I wanted to read the chapter about H3x's adventure in networkland, since it seemed the most intriguing. She's a sexy female hacker that hits nightclubs and has a neon social life - so already we know the story is fiction, right?

I noticed that the author of one of the chapters posted a review. I didn't pay attention to which chapter and don't have the book in front of me, but he states that all the methods used are possible. Well, you can't have a technical book without subjecting it to technical scrutiny. Here's where the meat of my review weighs in: H3x's adventures sometimes make no sense, and other times are technically wrong. Let me explain.

First she realizes the changes she made on the routers at a university were logged to a syslog server, so she hacks that to cover her tracks by taking out the network address she used. Nevermind that she configured the routers to point a GRE tunnel to her home network, and then set "0wn3d" (or something similar) as the interface desription. Isn't that like sneaking tiptoe through a house late at night with a blaring stereo on your shoulders? And what kind of pipe would be going into her home to be able to keep up with an ethernet connection on a campus network? At this point everything is still technically possible, although somewhat unbelievable. Still - this is fiction after all.

The administrators catch wind of this and do all the obligatory password and community string changes, tightening of security with access lists and pant-wetting. Discovering H3x can no longer get in through the front door, she whips up some java which acts as a UDP proxy and tosses it on a network printer. Using this she is able to bypass some access lists and TFTP the configurations off the Cisco routers - and here's the kicker - without needing community strings. Unfortunately, this just is not technically possible.

I'd be curious to see what other technical reviewers have to say about the books merits. Again, it's a fascinating read but you may want to take some of the stories with a grain of salt. The landmine heist is another vastly entertaining story that bleeds into the absurd at times.

Read the book and let others know what you think of it!

You may be asking yourself why I am writing a review of "Stealing The Network - How to Own the Box" (Ryan Russell, Tim Mullen, et al, Syngress Press, 2003, 429 Pages) two years after it came out in 2003. The reason is that next month, the third book in this series, "Stealing The Network - How to Own an Identity", is being released by Syngress. So in anticipation of this new title, I wanted to read this book, as well as "Stealing The Network - How To Own a Continent" (review to be written later this week). I did not expect to be drawn in as quickly as I was by this book, but I found myself being drawn in by the totally unique style in which technical content is presented and the fast pace the narrative took.

Each chapter presents a mini-scenario that demonstrates how specific network vulnerabilities can be exploited, causing potential problems and losses from organizations. What sets this apart from many of these books that I have read is that is kind of set up in the style employed by the television serial "Law and Order: Criminal Intent": a focus on narrative and knowledge from the point of view of the bad guys. While this is a work of "techno-fiction", the level of detail suggests that only the names were changed to prevent the innocent (or the guilty system administrators who fail to lock systems down as well as they should or could).

Another interesting point throughout this book is the emphasis on "social engineering", an oft overlooked weakness that has only started gaining true visibility in the evaluation and education of system administrators, managers, and end-users through highly visible incidents. It is kind of refreshing to read a detailed tale of what led a hacker to jump in a dumpster to find out information, and what led him to that point.

It is the unique approach the authors take that may make the book a more palatable read for true "uber-geeks", rather than these people not wanting to read a dry book presenting technical material in the typical dry approach, which for sure puts me asleep any day of the week. It may also make the topic more readable for non-technical managers to get a better understanding of their risks and vulnerabilities without getting buried in technical detail. However, this also is one big weakness of the book: there is no index of keywords or topics to go back to for easy reference, which would make the book a more used reference than just a good "summer beach book".

Who Should Read This Book

This book should be read by students starting out their formal education in computer information systems. It can teach them lessons without beating them over the head. The book should be read by system administrators so they can see that technical information can be presented in simpler ways, encouraging them to work on their "soft skills". Finally, it should be read by non-technical management so they can understand that the risks and vulnerabilities are very real, and need to be addressed.

Scorecard: Par on long Par 4

Note: When you read my review for "Stealing The Network - How To Own a Continent", you will hopefully understand why I only gave this book 4 stars.

"Stealing the Network" (STN) is an entertaining and informative look at the weapons and tactics employed by those who attack and defend digital systems. STN is similar to the "Hacker's Challenge" books published by Osborne, although the stories are not separated into evidence and resolution sections. Rather, a collection of authors use mildly fictional tales to introduce readers to tactics and techniques used by black and white hat hackers.

My favorite chapter was written by FX of Phenoelit, where a female black hat battles white hat defenders. The playing field includes HP printers, GRE tunnels between routers, and other novel tricks. Reading both sides of the story was fun and educational. I also liked Joe "Kingpin" Grand's insider theft case (ch 3), featuring Palm hacks and Blackberry sniffing. The worm disassembly chapter by Ryan Russell and Tim Mullen is worth reading as well.

This book is worth reading, but it's $... cover price is steep. While the stories are fictional, much of it is probably based on the author's experiences either consulting or studying similar incidents. This book can best be used by security professionals to test how they would have responded to the threats presented by the fictional adversaries profiled in STN. There's plenty to be learned by reading STN, and I hope to see sequels.

In some ways I though this would be a recipe book of hacks like most in this category. This book has great stories about hacks from the hackers point of view. It is a lot of fun following the thought process as the hack's progress. There is a technical side to the book, but its buried within the stories. I will go back through the book again and make notes of the different techniques used.

So if you're tired of seeing screen shots of a debugger doing hex dump for some nerd stealing or saving the world and want some realistic stories, this is the book to get.

There are many books out there on security this one manages to be unique. I love the way they take real accurate information about various ways to get around security and break into networks and apply them to fictional situations.

The pace goes quickly because you get drawn into the story. You can always go back and re-read to pick up the details of how the character in the stories did their attacks. What keeps you going forward is the story.

Some of the chapters are not as good as others but because they stand alone it is easy to jump around from chapter to chapter sticking to the ones that draw your interest.

Anyone involved in securing a computer or network could benefit from reading this. The only problem is it could make you a little paranoid.

_Stealing the Network: How to Own the Box_ has 10 stories with a first person narrator, who is either an attacker, or in two cases, a defender. While the characterization isn't up to the standards of (good) commercial fiction* in most cases, it makes the technical medicine go down easier and gives a picture of who and why people do this stuff. That picture is useful in making an abstraction feel more like a concrete threat.

I think this would be a good intro for a non-technical manager of security staff who needs to know why we have to worry about these things. It's a faster read than Bruce Schneir's admirable _Secrets and Lies_, which is a straight discussion of how to think about security, and probably more rigorous and complete. This offers specific examples and leads to many similar lessons. I will read the next one, How to Own a Continent, when its turn comes up in the queue.

One quibble: for a book published in 2003, with a chapter that mentions Snort a couple of times, I was disappointed in the Laws of Security Appendix. Specifically, the Law that "Any IDS can be Evaded" contains some material that is way out of date. To state that "free ones are starting to come available" at least a decade after Shadow, and at least a couple of years after Snort surpassed proprietary intrusion detection solutions, is a bit, well, weird. Snort is big time - Checkpoint just bought the company that writes it. The two chapters telling a defender's tale refer to Snort.

Also, I'm not convinced of the law's validity. The escalation between intrusion evaders and detectors is an interesting one but I think IDS has the advantage in this go-round. We can detect it, if we're watching the right things. Many of the evasion techniques are themselves alertable!

Apart from that, I found myself nodding in agreement with most of what was said. This taught me some things, and I've read pretty widely. This title is available cheap if you look at used. Check it out.

*It's at least better than Tom Clancy, whose plots are the only thing separating him from pure cheese, the male equivalent of a romance novel.

Normally I don't review fiction books because I find that those books don't capture my attention. Stealing the Network is the exception to the rule as I found myself completely engulfed in each story.

Nine different authors come together to show you a world you may have heard about but never thought could, would or will ever happen to you and your company - the act of being hacked and having information stolen.

These guys hold senior IT positions with years of experience and they share what they know with you to help you better understand the mindset of the hacker.

I found the stories enlightening as well as a little frightening, and even a little intriguing. Overall this book was a great read with a healthy dose of reality mixed in.

Ok, maybe I'm a bit of a geek, but I loved this book. The book is a collection of short stories about hackers stealing information or seriously messing with people. There's also one great story at the end about a guy tracking a hacker and catching hem. I like the book so much because the stories were really entertaining and the attacks were very detailed and well thought out. So, in addition to being enertained you also actaully learn something about security. There are so many "hacking" books out now, I was glad to find one that is really different. The stories do a great job of giving security professionals insight into how/why criminal hackers do what they do, without being condascending or just goofy like a lot of the hacker type stuff you see on TV or read in the main stream press.

Is this book relevant? Read chapter 2 and compare it to the events of the last two weeks - Blaster and Nachi (the fixer) I started telling people around the office about the fictional story (hah) becoming reality and they thought I was talking about the twilight zone. This book rocks!!