|
|
Richard Bejtlich's Profile
Customer Reviews: 296
New Reviewer Rank: 749
Classic Reviewer Rank: 450
Helpful Votes:
4512
Views:
26344
Helpful Votes:
91
Views:
Helpful Votes:
0
|
|
Guidelines: Learn more about the ins and outs of Your Profile.
|
Reviews Written by
Richard Bejtlich "TaoSecurity.com" (Metro Washington, DC)
|
|
|
|
|
|
|
|
|
0 of 1 people found the following review helpful:
Not enough content for the price, October 24, 2009
I have to agree with the other 3-star reviews of Hacking Exposed: Web 2.0 (HEW2). This book just does not stand up to the competition, such as The Web Application Hacker's Handbook (TWAHH) or Web Security Testing Cook (WSTC). I knew this book was in trouble when I was already reading snippets mentioning JavaScript arrays in the introduction. That set the tone for the book: compressed, probably rushed, mixing material of differing levels of difficulty. For example, p 8 mentions using prepared statements as a defense against SQL injection. However, only a paragraph on the topic appears, with no code samples (unlike TWAHH).
Despite having 4 fewer contributors than TWAHH (which had 10), HEW2 showed the signs of overlap common in books by large teams of authors. I also severely disliked the authors' use of their company's SecurityQA Toolbar. Better to advertise the book as a guide to using SecurityQA Toolbar for Web assessment than as a regular Hacking Exposed title.
You can safely skip HEW2. It's likely the next good Hacking Exposed titled on Web security will be Hacking Exposed: Web Applications 3.0.
|
|
|
|
|
|
|
|
|
|
|
|
1 of 1 people found the following review helpful:
Excellent book for Web developers writing unit tests, October 24, 2009
I just wrote five star reviews of The Web Application Hacker's Handbook (TWAHH) and SQL Injection Attacks and Defense (SIAAD). Is there really a need for another Web security book like Web Security Testing Cookbook (WSTC)? The answer is an emphatic yes. While TWAHH and SIAAD include offensive and defensive material helpful for developers, those books are more or less aimed at assessment professionals. WSTC, on the other hand, is directed squarely at Web developers. In fact, WSTC is specifically written for those who incorporate unit testing into their software development lifecycle. I believe anyone developing Web applications would benefit from reading WSTC.
I am not a Web developer, but I really enjoyed reading WSTC. The book is not very long compared to TWAHH and WSTC, but it is very clear and well-written. The test or "recipe" format is easy to read quickly, and it makes for disciplined writing on the part of the authors. I really liked the use of all open tools, in contrast with Hacking Exposed: Web 2.0 (HEW2), a competing book. WSTC is well-organized, building on previous material in a coherent manner suitable for those with less experience in unit testing for Web apps.
I'd like to give special praise to chapter 4, Web-Oriented Data Encoding. As a Network Security Monitoring practitioner, I often encounter Web traffic encoded using the very methods described in chapter 4. This section helped me understand what I see, so I recommend it to those who aren't Web developers but who do need to understand Web traffic on the wire. I felt the same way about chapter 7, which explains the intricacies of using cURL.
I have no complaints regarding WSTC. I think it defines a powerful methodology for approaching Web security, and other authors might want to consider emulating its approach. Great work!
|
|
|
|
|
|
|
|
|
|
|
|
Another serious contender for Best Book Bejtlich Read 2009, October 24, 2009
I just finished reviewing The Web Application Hacker's Handbook, calling it a "Serious candidate for Best Book Bejtlich Read
2009." SQL Injection Attacks and Defense (SIAAD) is another serious contender for BBBR09. In fact, I recommend reading TWAHH first because it is a more comprehensive overview of Web application security. Next, read SIAAD as the definitive treatise on SQL injection. Syngress does not have a good track record when it comes to books with multiple authors -- SIAAD has ten! -- but SIAAD is clearly a winner.
SIAAD is very detailed, with code samples to demonstrate the author's attack patterns. They cover multiple programming languages, multiple databases, and flood the book with examples. It's clear the authors utilize these methods for their daily work. Just about every situation is addressed, like returning database query results using DNS, HTTP, database connections, and even email. I admit I laughed when reading that chapter 7 offered "advanced topics." I thought the first 6 chapters were advanced enough, given the depth of the material!
I had no real issues with this book, but it's important to realize you won't read about attacks against PostgreSQL, for example. Other reviewers noted this as well. However, the authors do concentrate on the methodology and offensive mindset needed to attack any SQL database. I believe dedicated readers could apply the lessons of SIAAD to products beyond MS-SQL, Oracle, and MySQL.
Great work -- this is the sort of "niche book" that should be referenced by anyone else who wants to cover Web-related attacks.
|
|
|
|
|
|
|
|
|
|
|
|
2 of 2 people found the following review helpful:
Serious candidate for Best Book Bejtlich Read 2009, October 24, 2009
The Web Application Hacker's Handbook (TWAHH) is an excellent book. I read several books on Web application security recently, and this is my favorite. The text is very well-written, clear, and thorough. While the book is not suitable for beginners, it is accessible and easy to read for those even without Web development or assessment experience.
At 736 pages, TWAHH is the sort of book that one needs to read more than once in order to digest its contents. At every turn I perceived the authors to be experts and I trusted their advice. Their "Hack Steps" sections nicely summarize key points for operators. The authors integrate explanations of HTTP as a protocol into their text, without boring readers already familiar with the protocol. They also also demonstrate their subject using code snippets for multiple languages and products.
While I considered almost all of the book to be equally helpful, I'd like to mention three specific chapters or sections. First, chapters 1-3 provided a great technical overview of the subject. Chapter 11, Attacking Application Logic, featured examples from the authors' consulting experience which really resonated with me. Finally, I liked the recognition of the importance of locally-written applications, called "bespoke" applications, in chapter 13.
I struggled to find much to complain about in TWAHH. My only concern appeared early in the book, when the authors talked about "all user input is untrusted." They really meant "all user input is untrustworthy," or they should have said "Web developers should consider all user input to be untrusted, but they often trust it." The difference between "untrusted" and "untrustworthy" is subtle, and I still understood the authors' point.
I strongly recommend TWAHH to anyone with a role in defending Web applications. The authors have set a very high standard with this book. Great work!
|
|
|
|
|
|
|
|
|
|
|
|
3 of 4 people found the following review helpful:
There is no substitute for this book, September 7, 2009
I read and reviewed the 1st Ed of this book in July 2007, and I just finished reading Windows Forensic Analysis 2nd Ed (WFA2E) this weekend. If your job involves investigating Windows systems, you must read this book. It's as simple as that. There is no substitute for this book. It also perfectly complements other solid forensics works already published.
The three main reasons why I liked the 1st Ed hold for the 2nd Ed. The subject matter is exactly what I wanted to read. WFA2E introduces a vast number of tools to help investigators implement the concepts explained by the author. Harlan brings a lot of experience to WFA. Of these three, I really appreciate Harlan's experience. He is constantly "in the fight" so he knows what works and what doesn't. He's been around so long that he knows what he's talking about. If he encounters a problem, he can either try fixing it himself or he is friends with someone who can work the issue. All of these characteristics shine in WFA2E.
I expect to see a 3rd Ed of this book in a few years, incorporating more Windows Vista and Windows 7 material. It might also be helpful to consider techniques for Windows Server and Mobile platforms in the 3rd Ed. Regardless, I will look forward to that book when it arrives because I enjoyed WFA1E and WFA2E so much.
|
|
|
|
|
|
|
|
|
|
|
|
3 of 4 people found the following review helpful:
Since consumers don't care about security, why write a book like this for them?, August 13, 2009
Let me start by saying I usually like John Viega's books. I rated Building Secure Software 5 stars back in 2005 and 19 Deadly Sins of Software Security 4 stars in 2006. However, I must not be the target audience for this book, and I can't imagine who really would be. The book mainly addresses consumer concerns and largely avoids the enterprise. However, if most consumers think "antivirus" when they think "security," why would they bother reading The Myths of Security (TMOS)?
TMOS is strongest when Viega talks about the antivirus (or antimalware, or endpoint protection, or whatever host-centric security mechanism you choose) industry. I didn't find anything to be particularly "myth-shattering," however. I have to agree with two of the previous reviewers. Many of the "chapters" in this book could be blog posts. The longer chapters could be longer blog posts. The lack of a unifying theme really puts TMOS at a disadvantage compared to well-crafted books. I was not a huge fan of The New School of Information Security or Geekonomics (both 4 stars), but those two titles are better than TMOS.
If you want to read books that will really help you think properly about digital security, the two must-reads are still Secrets and Lies by Bruce Schneier and Security Engineering, 2nd Ed by Ross Anderson. I would avoid Bruce's sequel, Beyond Fear -- it's ok, but he muddles a few concepts. (Heresy, I know!) I haven't read Schneier on Security, but I imagine it is good given the overall quality of his blog postings.
If you want to shatter some serious myths, spend time writing a book on the "80% myth," which is stated in a variety of ways by anyone who is trying to demonstrate that insider threats are the worst problem facing digital security. If you're going to pretend to debunk open source security, why not back it up with some numbers? Studies have been published recently, and original research and results would be welcome. How about demonstrating that user awareness training wastes money, because enough marks fall prey anyway? I'd also like to see research showing that frequent password changes are worse for security, not better. Wrap all of that in a coherent manner with substantial chapters and you have a real TMOS book.
|
|
|
|
|
|
|
|
IPv6 Security
|
by Scott Hogg
Edition: Paperback |
| Price: $48.77 |
|
| Availability: In Stock |
|
|
|
|
|
1 of 1 people found the following review helpful:
The IPv6 security book the world needs, August 5, 2009
I've read and reviewed three other books on IPv6 in the last four years: "IPv6 Essentials, 2nd Ed" (IE2E) in September 2006, "Running IPv6" (RI) in January 2006, and "IPv6 Network Administration" (INA) in August 2005. All three were five-star books, but they lacked the sort of attention to security that I hoped would be covered one day. IPv6 Security by Scott Hogg and Eric Vyncke is the book for which we have been waiting. Although some of the early "philosophical" security discussions (what's a threat, where are they) are lacking, the overwhelming amount of thorough and actionable content makes this book a winner.
IPv6 Security reminded me of Cisco Router Firewall Security (CRFS) by Richard Deal, which I also liked a lot. CRFS was Cisco-specific and helped readers squeeze all the network-level security features they could from their routers. IPv6 Security is similar, but even better because readers receive guidance for Windows, FreeBSD, Fedora, and even Solaris, in addition to Cisco gear. One note on FreeBSD, however: p 42 says "FreeBSD systems are susceptible to RH0 attacks," although FreeBSD issued a fix in April 2007 with Security Advisory FreeBSD-SA-07:03.ipv6.
In addition to offering configuration guidance for a variety of products, IPv6 Security used Scapy6 to demonstrate various IPv6 traffic types. I liked this approach, although a brief appendix explaining Scapy usage would have been appreciated. The book also covered material I had not seen elsewhere, like shim6 for multihoming. I would have liked some examples of IPv6 NetFlow output, as hinted at in Ch 11. Using SCTP with IPv6, also mentioned in the book, would have been helpful and innovative too.
My main issue with IPv6 Security (and it is minor, given this is a five star review) is the inappropriate use of the word "threat" early in the book, and the unnecessary focus on "insider abuse." On p xix the authors say IPv6 is a "threat," and they say threats "exist" in IPv6. IPv6 implementations may introduce vulnerabilities and exposures, but not "threats." On p 8 the authors cite the 2007 CSI/FBI study by saying "59% of all survey respondents suffered from insider abuse of network access." They use that "statistic" to justify saying "the percentage of internal attack sources is likely to be even higher today... The key issue is that most organizations do not spend 50 percent of their security budget on mitigating inside threats." This has nothing to do with IPv6. If it is related to IPv6, reading page 2 of the 2007 CSI/FBI shows that 59% figure means "Insider abuse of network access or e-mail (such as trafficking in pornography or pirated software)". That's hardly the "attack source" the reader should associate with security for IPv4 or IPv6 networks.
Overall, I strongly recommend reading IPv6 Security. There's no other book on the market with the depth of actionable defensive information available.
|
|
|
|
|
|
|
|
|
|
|
|
Good book on VoIP security for engineers and VoIP implementers, July 28, 2009
The reviews of Voice over IP Security are fairly consistent at 4 stars, and I agree with that consensus. I've read a few books on this topic, and early titles were fairly awful. My favorite remains Hacking Exposed: VoIP, but a comparison with Voice over IP Security shows different audiences for the two books. The HE book is better suited for those assessing VoIP systems, while this book is better for engineers and those implementing VoIP systems.
Voice over IP Security is unique because it pays special attention to lawful intercept issues. I can't recall another book with 2 chapters on LI and CALEA alone. I also liked the many diagrams, some of which present very complicated information in a clear manner. The author is very thorough and I appreciated when he showed details for various VoIP protocols.
On the downside, I thought the book was very dry. In some places the English was rough. The copyeditor should have fixed those errors. For example, I found three places on p 108 where I could tell the author might not have spoken English as a first language. These minor errors should be fixed in future printings. Also, I found HE:VoIP's explanation of security issues to be better suited to my mindset. The HE:VoIP authors even built tools just to demonstrate VoIP issues, while this book relied on older tools (PROTOS) or common ones (SIPSAK, etc.)
The bottom line is that if you are building VoIP networks, especially supported by Cisco gear, you will find Voice over IP Security to be helpful.
|
|
|
|
|
|
|
|
|
|
|
|
3 of 4 people found the following review helpful:
Great short book on vi, July 15, 2009
I agree with just about everything that appeared in [...] review. Jacek Artymiak has written a sort of "vi(1) for the Desperate" covering all of the aspects of vi I would like to see addressed. I could see this book used in an introductory Unix class where the students are expected to try all of the examples. Jacek posted the sample files used in the book examples at [...], so you can easily follow along.
I have one minor point that might help vi users. On p 13 Jacek discusses Switching Between Files. This vi feature is helpful when a user opens several files for editing. Users can easily move forward through a list of files using the :n command. However, the Ctrl+^ command only returns to the last file viewed. If you have three files open, for example, and you move from 1 to 2 to 3, you won't be able to return to file 1 by using Ctrl+^. However, you can invoke the :e filename command, e.g., ,:e 1, to return to file 1. I couldn't find a way to cycle back through a list of files, as you could go forward with :n. I'd like to see a future printing make this situation clear.
Anyone who uses Unix should understand vi, so I recommend this book as a resource for those who like to learn by reading a printed book and following exercises supported by example files.
|
|
|
|
|
|
|
|
|
|
|
|
3 of 5 people found the following review helpful:
Disjointed collection of chapters that doesn't practically analyze any intrusions, July 11, 2009
I must start this review by stating the lead author lists me in the Acknowledgments and elsewhere in the book, which I appreciate. I also did consulting work years ago for the lead author's company, and I know the lead author to be a good guy with a unique eye for applying geography to network security data. Addison-Wesley provided me a review copy.
I did not participate in the writing process for Practical Intrusion Analysis (PIA), but after reading it I think I know how it unfolded. The lead author had enough material to write his two main sections: ch 10, Geospatial Intrusion Detection, and ch 11, Visual Data Communications. He realized he couldn't publish a 115-page book, so he enlisted five contributing authors who wrote chapters on loosely related security topics. Finally the lead author wrote two introductory sections: ch 1, Network Overview, and ch 2, Infrastructure Monitoring. This publication-by-amalgamation method seldom yields coherent or helpful material, despite the superior production efforts of a company like Addison-Wesley. To put a point on PIA's trouble, there's only a single intrusion analyzed in the book, and it's in the lead author's core section. The end result is a book you can skip, although it would be good for chapters 4 and 10 to be published separately as digital "Short Cuts" on InformIT.
Chapters 1 and 2 are not needed. Anyone who needs to learn about networking can read a basic book already published. Ch 2 does mention that 802.1AE (if ever implemented) will hamper network traffic inspection, but you could read that online.
Ch 3 is odd because it begins by mentioning well-worn methods to evade network detection, followed by a discussion of the merits of Snort vs Bro. Someone who had to read the material in chapters 1 and 2 is not going to understand the Snort discussion, especially when it mentions byte_test, depth, regex, http_inspect, uricontent, Structured Exception Handlers, and 16 line Snort signatures. I liked seeing Bro mentioned, but the people who are going to be able to follow the sample Bro policy scripts on pages 75-78 are not the ones reading this book.
Ch 4 outlines several examples of writing signatures for Snort. This section is actually interesting, but you have to know Snort and certain advanced topics pretty well to get value from this section. Readers need to compensate for the far-too-small screenshots and lack of supporting details while reading the examples. Readers also need to figure out what the author is doing, such as when he sets up a client-side exploit against FlashGet by starting a malicious FTP server with flashget-overflow.pl. By the second example he's dropping warnings like "Had Core's advisory told you from where the size of the call to memcpy was coming, you might have to refine the signature to check for the appropriate behavior; unfortunately, the disassembly left out that argument:" [cue the ASM]. The bottom line with this chapter is this: know your audience, and write for them -- not your buddies. People who can follow contributions like this "at line speed" aren't going to read this book.
By ch 5 the "practical" aspect of this book has been left behind, with a discussion of "proactive intrusion prevention and response via attack graphs, which is really an academically-derived discussion of "topological vulnerability analysis." No one does this in the operational world, and no one will. Pages 143-144 talk about IDMEF, even though that specification died years ago. (There is still an independently-maintained -- as of Feb 09 -- Snort-IDMEF plugin. I don't know anyone in industry using it.)
Ch 6 is a generic overview of using network flows. The only new material is less than a page on IPFIX, which is just a table comparing that newer format with NetFlow. Ch 7 is called "Web Application Firewalls," but it's just an overview. Read Ivan Ristic's Apache Security or Ryan Barnett's Preventing Web Attacks with Apache if you want to know this topic. Ch 7 is titled "Wireless IDS/IPS," which is an even shallower overview than the previous topic. In none of these chapters do we have anything practical nor any intrusions analyzed. Ch 9 discusses physical security, but I didn't think it fit with the intended theme for the book.
I thought chapter 10 was interesting. Geospatial and visualization techniques do have a role in many operations, and ch 10 had the only example of an intrusion analysis. Unfortunately I don't think readers could take ch 10 and implement their own operational system. Ch 11 seemed irrelevant in light of the excellent visualization books by Raffy Marty and Greg Conti.
The book finishes with ch 12, Return on Investment: Business Justification. It was totally unnecessary: cite some regulations, list some breach costs, then compare ROI, NPV, and IRR. Talk a little about MSSPs and cyber liability insurance, then end. If you really want the best discussion of security costs, read Managing Cybersecurity Resources by Gordon and Loeb.
The subtitle for PIA is "Prevention and Detection for the Twenty-First Century." Readers will not find that in PIA. The lead author started with a kernel of a good idea, but the end result does not deliver enough real value to to readers. The lead author's material, and the chapter on Snort signature writing, could have been published as digital Short Cuts, or including in a compendium of chapters in a "survey" book. If you want to read a book intrusion analysis, you're more likely to be satisfied reading a book on intrusion forensics.
|
|
|
|
(Metro Washington, DC)
