Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Books Media Book Reviews

Hacker's Challenge 2 95

Francis White writes "Hacker's Challenge 2 is the second volume in a series of books that present a series of real-world security scenarios and their solutions. For each scenario, information is given, clues are presented and questions are asked of the reader. Turning to the back of the book reveals what really happened along with suggestions and tips for how to respond to and possibly even prevent each presented attack." Read on for the rest of his review.
Hacker's Challenge 2
author Mike Schiffman, Bill Pennington, Adam J. O'Donnell, David Pollino
pages 352
publisher McGraw-Hill Osborne Media
rating 9
reviewer Francis (Frank) White
ISBN 0072226307
summary A computer security puzzle book with interesting challenges and detailed solutions

What It Covers

The scenarios in the book cover a wide range of current attacks. There are a few scenarios involving wireless access that each manage to point out a different facet of wireless security. Also, the book includes a few examples of network penetrations, a man in the middle attack, a bit of forensic analysis and the highly popular (in the media at least) "insider attack." One chapter focuses on exploit development using a simple stack overflow, which is a nice diversion.

The book's format is identical to that of the previous volume. Each challenge is rated Low, Medium, or High for Attack Complexity, Prevention and Mitigation. An account of each problem is presented (organized by date and time), often from the point of view of the person charged with figuring out what is happening or has happened. Logs are presented as they are requested by the investigator; the authors do a great job of following the thought processes and actions of the people responding to the incident as they discover each clue and take their steps forward.

At the end of each scenario description, there are a number of questions that generally help focus the reader's attention on the relevant parts of the scenario. After the reader comes up with some likely answers, he can turn to the back of the book where the solutions are found. Each solution is broken down into an explanation of the attack, how the attack could have been prevented, and steps to take to mitigate the effects of the attack after it has occurred.

The explanation highlights the clues that were presented, how they could have been used to solve the challenge, and the right (or wrong) steps the investigator took and why. Links to additional information and references are provided at the end of each solution.

The Authors

Hacker's Challenge 2 is written by Mike Schiffman (@stake), Bill Pennington (WhiteHatSec), Adam J. O'Donnell (working towards PhD at Drexel), and David Pollino (@stake). From the material presented, if not from their reputations and contributions to the computer security field (some of them under other names), the authors are obviously very familiar with analyzing and responding to security incidents. All of them contributed to the previous volume in the series. The book does not identify who wrote each chapter, unlike the first volume.

Why I Gave This Book A 9

I have read the previous volume in the series. I liked this volume a lot more, and while I was reading it, I tried to work out why. One of the possibilities I came up with is that they trimmed the number of authors from somewhere around ten, as they had used for the previous volume. The consistency of the writing and scenarios is greatly improved. The scenarios in this book are also much more interesting to me than in the previous book. It feels much more current than the previous volume. (I still recommend the previous volume, however, if you haven't been following possible attacks and countermeasures for a while. - I'd say I'd give it a 7.)

From the first chapter which opens with a still under-publicized layer-2 802.11 attack, it grabbed my attention. This is a great book for seeing not just what attacks are out there, but what attacks people in the security industry think are likely in the real world.

Like the previous volume, there doesn't appear to be much vendor bias in this book, which is always a welcome sight to me. Also, although the authors work in the security industry, they stay away from promoting themselves or their companies. (They do include links to some documents on company web sites, but they are technical documents, not marketing fluff.)

This volume is also packed with humor, although perhaps not everyone will appreciate or catch all of the jokes. My favorite quote in the book is from the chapter where "d4rkl0rd", a young novice hax0r who only speaks in l33t speak, is at the dinner table : "n0 m0m, 3y3 h4t3 gr33n b34ns, dUh!"

Conclusion

I definitely recommend Hacker's Challenge 2 to anyone interested in, or responsible for, computer security. Even if you are very familiar with the subject, it's worthwhile to look over the attacks and solutions presented, and to compare the suggested response with the one you would use if presented with a similar scenario. The book is worth picking up even if you have read the previous volume, as it is of even higher quality, and covers, for the most part, completely different attacks. The format is easy to read and the real-world problem scenarios presented are interesting enough to keep you reading. The solutions are well presented and thorough, covering not just what happened in the attack and how to put the course of events together from the clues, but also ways to prevent and mitigate the attacks. Highly recommended.
You can purchase Hacker's Challenge 2 from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
This discussion has been archived. No new comments can be posted.

Hacker's Challenge 2

Comments Filter:


  • Mad Libs for hackers...

    • Re:Sweet. (Score:3, Funny)

      by DonkeyJimmy ( 599788 )
      Mad Libs for hackers...

      good, now instead of replacing every adjective with smelly and every noun with ass, we can replace every adjective with 1337 sekret ninja and every noun with, well, ass.
  • ...when they can just hack Windows instead?
    =)
  • by Khalidz0r ( 607171 ) on Wednesday February 19, 2003 @11:52AM (#5335684) Journal
    Well, the idea of hacker challenges rings a bill to me, as *hacker challenges* was one of the main things that got me to be interested in computing more than ever before. That reminds me of the many online hacking/programing challenges I played before, some of them were really fun, examples include http://www.try2hack.nl http://www.arcanum.co.nz http://www.slyfx.co.uk http://www.mod-x.co.uk And many others, they might not be really hard or challenging enough to experts, but they get you will into the interest of computing and security (They have no aims of producing black hat hackers imo, all what they aim at is producing people interested in securing themselves and people around them). I'll be looking into getting this Hackers Challenge as it really sounds interesting :).
    • Agreed, also along the lines of the many "Crack-Me"
      and "Hack-Me" challenges that security groups put out when trying to recruit. It's always fun for a challenge if nothing else.


      The book sounds like a good read....

    • by ThirdEdition ( 651845 ) on Wednesday February 19, 2003 @03:33PM (#5337962)
      I've read this book too, and it's really good. The problem is that they don't have enough space to really misdirect you, they really only provide the information that is relevant. In a real world environment, you'd need to sift through everything (irrelivant logs, user history files, timestamps) to see what is and is not helpful. But HC does a good job with what they can offer.

      I was first intrigued by case studies when I read hacking linux exposde [hackinglinuxexposed.com], which has excellent real-world case studies. Turn them on their heads and they are useful as challenges too. Since HLE was based on Hacking Exposed [hackingexposed.com] I thought I'd get it for those case studies, but they are lame 1-2 page things.

      You can get the case studies for HEL online now, which is cool.

      Does anyone else have good case studies / challenge pointers that are available online?

    • I'd never looked at hacking/cracking challenges before, but the www.try2hack.nl one is a great introduction to it, and surprisingly addictive.

      Thanks for the link, I think some geek fun is definitely no bad thing from time to time.

      Now if only I could get past level 5...
      Time to monitor those temp files or find something to decompile visual basic exe's =)
      Or peek at memory usage in something like softICE. Tonight could be a long night...
      Cheers :)
    • i believe the expression is "that rings a bell", not "that rings a bill".
  • A slammer worm locks down your server. What do you do? ...
    Answer: Take the week off.
    • by Lord_Slepnir ( 585350 ) on Wednesday February 19, 2003 @12:06PM (#5335791) Journal
      Answer: Switch to MySQL. Wallpaper your office with all the money you saved.
      • "Answer: Switch to MySQL. Wallpaper your office with all the money you saved." Better yet, switch to MySQL, buy walpaper with the money you save, and then wall paper your wall. A room in that shade of green would be really ugly! Oh, and now you still have money. Nalanthi
    • A slammer worm locks down your server. What do you do?What do you do?!?

      Shoot the server. Take it out of the equation.

      This "Speed" moment was brought to you by Mentos.

  • by spin2cool ( 651536 ) on Wednesday February 19, 2003 @12:04PM (#5335776)
    Remind anyone else of an Encyclopedia Brown book?

    "Gee Willikers, looks like Bugs is up to something again. What? He's hacking the Pentagon? No need to call the authorities - us kid detectives have it under control! What? He just launched nukes at Russia? Maybe i'll leave this one to the cops..."

    Also check out Encyclopedia Brown and the case of the Pirated MP3s. [modernhumorist.com]
    • by Bonker ( 243350 )
      I was just about to say the same thing.

      Seriously, check out the MH Encyclopedia Brown stories. They're great and presented *perfectly*.

      Encyclopedia Brown and the Case of the Missing Olympic Magic [modernhumorist.com] is the best one, IMHO. God, I hate Bob Costas.
    • Those books were the bizomb back in the day! When I was in third grade I picked one out of the random sea of shitty little books that we had to read everyday. I actually liked it. I think I read them all within a couple months. In retrospect I shoulda paced myself, because I bombed reading for the rest of the year due to shitty books.
    • For reminding me of the ten or so Encyclopedia Brown books I devoured as a child, I salute you, my friend.

      It's a martian with a phaser-gun!, shouted Bugs, He's going to turn you into an ice-cream pie!

      I can also remember Bugs Meaney's "2) ???" was "Trying to figure out why the stomach doesn't digest itself."

      What was the girls name? Sally? She had Spunk.

  • by sczimme ( 603413 ) on Wednesday February 19, 2003 @12:10PM (#5335843)

    Why I Gave This Book An 9

    Because it would not be a /. book review if the score were less than that. :-)
  • by dpbsmith ( 263124 ) on Wednesday February 19, 2003 @12:20PM (#5335921) Homepage
    A book entitled "HACKER'S Challenge" ought to be a series of programming puzzles with clever, nonintuitive answers.

    I suppose trying to get writers and the general public to distinguish between hacking and cracking is a lost cause, but we need to keep trying.
    • I suppose trying to get writers and the general public to distinguish between hacking and cracking is a lost cause, but we need to keep trying.

      Sigh... I know how you feel. But I think we should just let them have the term. It's wasted effort to keep trying to correct people.

      Let them refer to crackers as "hackers." We'll just switch to referring to hackers as "gods." ;-)

    • Main Entry: bitch
      Pronunciation: 'bich
      Function: noun
      Etymology: Middle English bicche, from Old English bicce
      Date: before 12th century
      1 : the female of the dog or some other carnivorous mammals
      2 a : a lewd or immoral woman b : a malicious, spiteful, or domineering woman -- sometimes used as a generalized term of abuse
      3 : something that is highly objectionable or unpleasant
      4 : COMPLAINT

      (source: www.m-w.com)

      Rather ironic that you dispute the multiple meanings of the word "hacker" by performing an action that also has multiple meanings. Damn I love words, and bitching. And bitches come to think of it.
    • So true... in fact the other day I was trying (with no luck) to find a book of problems and puzzles for programmers. Ideally nothing language specific, more focused on clever algorithms... a fairly concise problem statement (say a page or less) and answerers that are self checking (i.e. if you got the answer... you did it right). With puzzle complexity being something that would take a day to a week to solve and really push creative thinking... if anybody knows of one... please let us know... if not... maybe I should start writing. ;)
    • by Anonymous Coward
      While we're on the subject, somebody please inform Kevin Mitnick that he was a cracker, not a hacker as he kept referring to in his interview.

      The term 'cracker' only came into use as a result of political correctness... the good hackers didn't like their name tarnished by the bad hackers, so they assigned the term 'cracker' to these people.

      So one who breaks into systems is also known as a hacker. Your sense of political correctness prevents you from using that term. To you, one who breaks into Coke vending machines would be a soda cracker.
    • Why? Really -- why? Even l33t h4x0rs don't call themselves cr4x0rs. Everyone I know recognizes that "hacking" originally referred to coding, and in my development shop it still does. But now it also means "doing naughty security-related computer things." The term has taken on an overloaded meaning, and the context is almost always sufficient to distinguish what the speaker means.
  • Recommended (Score:3, Insightful)

    by antiframe ( 651356 ) on Wednesday February 19, 2003 @12:23PM (#5335940)
    I have read through a few of the scenarios, and they are great. I haven't read the first in the series though, but I might go back and do that at some time. Having been Adam's roomate at Drexel a few years back, I can vouch for his very talented security analysis skills, so any work with his name on it gets my seal of approval right off the bat anyhow.
  • sorta like a choose your own adventure book...

    they should make one for adults... they would only have to actually write on half the pages... as they could assume everyone would just pick the selection that looked like it would lead to sex...
  • memories.. (Score:3, Funny)

    by syle ( 638903 ) <syle AT waygate DOT org> on Wednesday February 19, 2003 @12:53PM (#5336235) Homepage
    My favorite quote in the book is from the chapter where "d4rkl0rd", a young novice hax0r who only speaks in l33t speak, is at the dinner table : "n0 m0m, 3y3 h4t3 gr33n b34ns, dUh!"

    I can't believe my mom recorded that conversation!

    This is so embarassing...

  • I thought it was the reverse: challenges for systems to hack into.

    After that, I thought, maybe it's real 'hacks', as in what the Jargon File would define 'hack' as.

    Speaking of which...I tried to provide a link to www.tuxedo.org and got redirected to various sites. What's up with ESR's site?
  • by crawdaddy ( 344241 ) on Wednesday February 19, 2003 @03:29PM (#5337935)
    Mad Hacker: "Pop quiz, hotshot! Hacker just started compiling and executing a killer virus on his machine! You can either save the internet or capture the bad guy. What do you do?"
    Keanu Reeves: "Shoot the boxen."
    Mad Hacker: "But it's got a bullet-proof cover over it with a keyboard entry system...and YOU DON'T KNOW THE PASSWORD"
    Keanu Reeves: "I'm already in!"
    Mad Hacker: "But how?!"
    Keanu Reeves: "The three most commonly used passwords: love, secret, and sex...not necessarily in that order"
    Mad Hacker: "But it's not any of those"
    Keanu Reeves: "Don't forget about 'God'. System operators love using 'god'."

    Ok...maybe I went a bit overboard with it...
  • Great book. I also found a monthly forensic challenge contest here [tigertools.net].

Ummm, well, OK. The network's the network, the computer's the computer. Sorry for the confusion. -- Sun Microsystems

Working...