Inside Cyber Warfare, 2nd Edition – You’re at the front line & you can’t retreat – #bookreview

Inside Cyber Warfare (2nd Edition)
By Jeffery Carr
(O’Reilly, paperback, list price $39.99; Kindle edition, list price $31.99)

A global war for survival is in full battle, and you — or at least one or more of your computers — may now be right at the front line, already in the fight.

Actually, in cyber warfare, there is no “front line.”  As this important book makes unnervingly clear, attacks on business and military data, on financial systems, and on personal information now can — and do — come at any time from anywhere on the planet.

The attackers can be governments, military units, criminal groups, terrorist organizations, hacker gangs, lone-wolf thieves and even mischief makers with little or no agenda except chaos. And what seems to be a damaging infiltration from one nation actually may be controlled by, and coming from, computers in several other nations.

Indeed, some recently successful and damaging attacks against supposedly well-secured systems have been launched from sites very difficult to identify, using networks of infected computers scattered across several continents, including the United States. And the owners of the infected computers had no idea their machines were involved.

Jeffrey Carr’s updated book is aimed at political and military leaders, policy makers,  and corporate executives responsible for securing data systems and sensitive information. Yet everyday computer users need to read it, too, to have a clearer sense of what we are all up against now. We must understand the risks well enough to help pressure lawmakers, corporate leaders and others to make good choices regarding data security and protecting intellectual property.

The author is a cyber intelligence expert and consultant whose specialty is investigating “cyber attacks against governments and infrastructures by state and non-state hackers.”

Carr’s well-written second edition covers such topics as: the cyber-warfare capabilities of a wide range of nation-states, from Australia and Nigeria to China, the Russian Federation and the United States; how organized crime operates and profits in cyberspace; the difficulty of responding to international cyber attacks as acts of war; and national and international legal issues that affect cyber warfare.

Some foreign governments, Carr points out, are believed to condone and even sponsor cyber attacks. Others are well aware of the digital lawbreakers operating within their borders, yet prosecute only a selected few cases. For example, Carr notes, “in the Russian Federation, the police are interested only in arresting hackers for financial crimes against Russian companies. Hacking attacks cloaked in nationalism are not only not prosecuted by Russian authorities, but they are encouraged…” through a variety of proxies.

Against technically savvy, well-funded and government-coddled hackers, your outdated virus protection software and your dogs’-names passwords are very thin, very porus shields, indeed. 

Carr offers a number of recommendations to American policymakers who must wrestle with Internet and data security issues, plus protection of intellectual property. One of his strongest recommendations is a call for the Department of Defense to throw Windows out the Pentagon’s windows and replace it with Red Hat Linux.

“Red Hat Linux,” he writes, “is a proven secure OS with less than 90% of the bugs found per 1,000 lines of code than in Windows. Many decision makers don’t know that it is the most certified operating system in the world, and it’s already in use by some of the US government’s most secretive agencies.” He adds: “Linux certainly has its vulnerabilities, but the math speaks for itself. Shoot Windows and eliminate the majority of the malware threat with one stroke.”

He also wants sharp crackdowns on “US companies that provide Internet services to individuals and companies who engage in illegal activities, provide false WHOIS information, and other indicators that they are potential platforms for cyber attacks.”

But anyone who connects a computer to the Internet and is active on social media needs to be aware of the risks and high stakes involved in the cyber warfare now being fought between and among governments, criminal groups, terrorist organizations, hacker gangs and lone-wolf troublemakers.

Even as you read this, your personal computer or your company’s servers may be secretly helping North Korea, Iran, China, a drug cartel or a lone, bored hacker launch a cyber attack somewhere else in the world.

You may not be a high-value data target. Yet, even with just one laptop computer, you can become an unwilling and unknowing foot soldier for the wrong side.

These are scary thoughts, and you can’t wish them away. Read this important book to get the big, unnerving picture.

Then start thinking–fast–of ways to better protect your computers, data, intellectual property and personal information.

Si Dunn‘s latest book is a detective novel, Erwin’s Law. His other published works include Jump, a novella, and a book of poetry, plus several short stories, including The 7th Mars Cavalry, all available on Kindle. He is a screenwriter, a freelance book reviewer, and a former technical writer and software/hardware QA test specialist.

The Tangled Web: A Guide to Securing Modern Web Applications – #programming #bookreview

The Tangled Web: A Guide to Securing Modern Web Applications
By Michal Zalewski
(No Starch Press, paperback, list price $49.95 ; Kindle edition, list price $31.95)

When Michal Zalewski writes, people listen. And many software programmers pay — or should pay — very close attention to what he recommends.

Zalewski is an internationally respected information security expert who has uncovered hundreds of major Internet security vulnerabilities

“The dream of inventing a brand-new browser security model,” he states in The Tangled Web, “is strong within the community, but it is always followed by the realization that it would require rebuilding the entire Web. Therefore, much of the practical work focuses on more humble extensions to the existing approach, necessarily increasing the complexity of the security-critical sections of the browser codebase.”

Today’s Web indeed is a mess, a complex morass of “design flaws and implementation shortcomings” within a technology “that never aspired to its current status and never had a chance to pause and look back at previous mistakes,” he says. And: “The resulting issues have emerged as some of the most significant and prevalent threats to data security today….”

In his well-written new “Guide to Securing Modern Web Applications,” Zalewski states that “a substantial dose of patience, creativity, and real technical expertise is required from all the information security staff.”

Anyone who works with the Web application stack needs to clearly understand its built-in security vulnerabilities and the consequences that can occur when unwanted penetrations occur.

Zalewski’s 299-page book is structured into three parts – Anatomy of the Web, Browser Security Features, and A Glimpse of Things to Come — and 18 chapters:

  1. Security in the World of Web Applications
  2. It Starts with a URL
  3. Hypertext Transfer Protocol
  4. Hypertext Markup Language
  5. Cascading Style Sheets
  6. Browser-Side Scripts
  7. Non-HTML Document Types
  8. Content Rendering with Browser Plug-ins
  9. Content Isolation Logic
  10. Origin Inheritance
  11. Life Outside Same-Origin Rules
  12. Other Security Boundaries
  13. Content Recognition Mechanisms
  14. Dealing with Rogue Scripts
  15. Extrinsic Site Privileges
  16. New and Upcoming Security Features
  17. Other Browser Mechanisms of Note
  18. Common Web Vulnerabilities

Zalewski’s other published works include Silence on the Wire and Google’s Browser Security Handbook.

Despite the software industry’s many efforts to find security “silver bullets,” Zalewski contends that “[a]ll signs point to security being largely a nonalgorithmic problem for now.” What still works best, he says are three “rudimentary, empirical recipes”:

  1. Learning from (preferably other people’s) mistakes
  2. Developing tools to detect and correct problems
  3. Planning to have everything compromised.

“These recipes are deeply incompatible with many business management models,” he warns, “but they are all that have really worked for us so far.”

Zalewski’s book puts a bright, uncomfortable spotlight on the fundamental insecurities of Web browsers, but it also shows you how to improve the security of Web applications.

Whether you program Web apps, or manage Web app programmers, or are studying to become a Web app programmer, you likely need this book.

Si Dunn‘s latest book is a detective novel, Erwin’s Law. His other published works include Jump, a novella, and a book of poetry, plus several short stories, all available on Kindle. He is a freelance book reviewer for the Dallas Morning News and a former technical writer and software/hardware QA tester.

Here’s the book scaring me this Halloween: America the Vulnerable – #bookreview #data #security

Subtitled “Inside the New Threat Matrix of Digital Espionage, Crime, and Warfare,” America the Vulnerable is written by Joel Brenner, former inspector general at the National Security Agency.

Brenner has recent experience at the highest levels in national intelligence, counterintelligence and data security. And he has studied firsthand many of the threats and attacks against our national, corporate and personal interests.

“During my tenure in government,” he writes, “I came to understand how steeply new technology has tipped the balance in favor of those–from freelance hackers to Russian mobsters to terrorists to states like China and Iran–who want to learn the secrets we keep, whether for national, corporate, or personal security.” He adds: “The truth I saw was brutal and intense: Electronic thieves are stripping us blind.”

Everything from Social Security numbers to technological secrets that cost billions to develop are being taken — stolen from military and corporate data networks and individual computers, possibly including yours.

His book will leave you wide-eyed and wondering who is surreptitiously poking around inside your computer right at this moment and what they are taking or “borrowing” for sinister purposes.

 Likely the Chinese and the Iranians and Russian mobsters and others, including hackers, are in there or have been there recently.

And Brenner explains how you may be unknowingly helping them find and transfer sensitive and vital information, even when you do something seemingly innocuous as plugging in a thumb drive to your laptop.

You won’t need to watch any monster movies to get scared this Halloween. Brenner’s book or its Kindle version can give you a very serious case of chills and frights. 

Si Dunn

Configuring Microsoft SharePoint 2010 – Self-Study Guide for MCTS exam 70-667 – #microsoft #bookreview

Configuring Microsoft SharePoint 2010
By Dan Holme and Alistair Matthews
(Microsoft Press, list price $69.99, paperback)

If one of your goals in life is to deploy and manage Microsoft SharePoint Server 2010 farms, here’s your book.

You definitely need it if you are already involved in configuring, customizing and supporting SharePoint and want to take the Microsoft Certified Technology Specialist (MCTS) exam 70-667.

This “2-in-1 Self-Paced Training Kit” follows the successful formula used in many other Microsoft certification test preparation guides.

First, you work through a series of lessons and reviews covering each objective in the exam. Then you apply what you have learned to some real-world case scenarios, and you do some practice exercises. Finally, you plug in the CD that accompanies the book and try your hand at the practice tests.

“You can work through hundreds of questions using multiple testing modes to meet your specific learning needs,” Microsoft promises.

In other words, the material is there if you’re willing to push yourself to learn it. And there is a lot to learn when you work with SharePoint.

One small example: one of the book’s “Best Practices” entries points out that “[y]ou might imagine that the best practice to scale out a farm is simply to add more servers and to continue adding all services to each server. In fact, in larger and more complex environments[,] performance is optimized by dedicating servers to specific tasks.” And the entry briefly explains why.

Another short example: the book describes how “[a]fter you complete your SharePoint installation and the SharePoint Products Configuration Wizard, you often run the Initial Farm Configuration Wizard.” But then it explains why you should not use this tool to configure My Sites, “because the resulting configuration is not considered secure.”

Indeed, the co-authors add, that combination can set up a situation where, conceivably, a My Site owner could use scripting attacks “to get Farm Administrator privileges.”

The book has 821 pages and is divided into 12 chapters:

  1. Creating a SharePoint 2010 Intranet
  2. Administering and Automating SharePoint
  3. Managing Web Applications
  4. Administering and Securing SharePoint Content
  5. Service Applications and the Managed Metadata Service
  6. Configuring User Profiles and Social Networking
  7. Administering SharePoint Search
  8. Implementing Enterprise Service Applications
  9. Deploying and Upgrading to SharePoint 2010
  10. Administering SharePoint Customization
  11. Implementing Business Continuity
  12. Monitoring and Optimizing SharePoint Performance

As an added inducement to buy the book, it includes a discount voucher good for 15 percent off the price of one Microsoft Certification exam.

Again, Configuring Microsoft SharePoint 2010 is not a book for SharePoint beginners.

 The co-authors note: “The MCTS exam and this book assume that you have at least one year of experience configuring SharePoint and related technologies, including Internet Information Services (IIS), Windows Server 2008, Active Directory, DNS, SQL Server, and networking infrastructure services.”

The writers recommend using virtual machines to do the training exercises in their book. And they assume you will “use virtualization software that supports snapshots, so that you can roll back to a previous state after performing an exercise.”

They also give information and limitations on using multiple virtual machines on a single host. And their book providess download links to evaluation versions of the software needed to do the exercises.

The book’s accompanying CD offers one other learning convenience: an e-book version of the hefty text.

Si Dunn

Two New Microsoft Books for Visual Basic & Visual Studio – #programming #bookreview

The two new books are Microsoft Visual Basic 2010 Developer’s Handbook by Klaus Löffelmann and Sarika Calla Purohoit ($59.99, paperback;  $47.99, Kindle ), and Coding Faster: Getting More Productive with Microsoft Visual Studio by Zain Naboulsi and Sara Ford (list price $39.95, paperback;  list price $31.99, Kindle) .

If you don’t yet have some background in object-oriented programming, you may not be ready to have either of these hefty, well-produced books. But if you are gearing up to develop or update programs in Visual Basic, you likely can benefit from both.

Why both? The reason is simple. “These days,” the co-authors of the Developer’s Handbook point out, “programming in Visual Basic means that you are very likely to spend 99.999 percent of your time in Microsoft Visual Studio. The rest of the time you probably spend searching for code files from other projects and binding them into your current project…”

The Developer’s Handbook is divided into six well-written parts and 28 chapters, with plenty of screenshots, code examples and programming tips.

The parts are:

  1. Beginning with Language and Tools
  2. Object-Oriented Programming
  3. Programming with .NET Framework Data Structures
  4. Development Simplifications in Visual Basic 2010
  5. Language-Integrated Query—LINQ
  6. Parallelizing Applications (programming with the Task Parallel Library, TPL)

Most of the chapters have exercises where you can “interactively try out new material learned in the main text.” All of the code samples can be downloaded from two sites described in the book.

Meanwhile, the main goal of Coding Faster: Getting More Productive with Microsoft Visual Studio is “to arm you with techniques that you can apply immediately to improve productivity,” the book’s co-authors state. “Use the content in this book anywhere, anytime, to dramatically reduce the time required to perform just about any task in Visual Studio.”

They note: “Within these pages are—for the first time ever—the keyboard mapping shortcuts, commands, and menu paths for features, along with detailed descriptions of how to use them.”

Coding Faster covers the 2005, 2008 and 2010 versions of Visual Studio. The 444-page book is divided into two major sections – “Productivity Techniques” and “Extensions for Visual Studio”—and eight chapters, all copiously illustrated with screenshots. The chapters are:

  1. Getting Started
  2. Projects and Items
  3. Getting to Know the Environment
  4. Working with Documents
  5. Finding Things
  6. Writing Code
  7. Debugging
  8. Visual Studio Extensions

Coding Faster is a “fully revised and expanded version” of a previous guidebook: Visual Studio Tips: 251 Ways to Improve Your Productivity, and the new book (more than 365 tips) provides a link to an online appendix for additional tips.

If you have some programming experience but are new to developing or updating Visual Basic programs, Coding Faster could be a very handy guidebook for getting good at Visual Studio in a hurry.

Si Dunn

Many Features Great & Small: Two New Microsoft Windows 7 Books – #bookreview

Here’s the long and the short of it, and the big and the semi-little.

Microsoft Press recently has released two helpful new books focusing on the features of Windows 7. One book, a hardback, weighs nearly five pounds and has 1,323 pages. The other, a paperback that weighs nine ounces and has 194 pages, is supposed to fit in a pocket and does, if it’s a pocket in a big coat.

The books are: Windows 7 Inside Out Deluxe Edition by Ed Bott, Carl Siechert, and Craig Stinson (hardback, list price $59.99; Kindle, list price $47.99) and Optimizing Windows 7 Pocket Consultant by William R. Stanek (paperback, list price $24.99; Kindle, list price $19.99).

If you use Windows 7 in business or at home on an at least semi-serious basis, you may want to consider getting at least one of these books, maybe both. The same goes if you are studying to be a Windows expert or if you have just been saddled with the job of managing a bunch of computers running Windows 7 in a corporate or small-business setting. 

The big book is an excellent desk reference (as well as physical workout accessory), and the small one can be tossed into a laptop bag, briefcase or carry-on travel bag. The cover binding on the big book appears to be underpowered, so be prepared to handle this book with the same care you might give a big dictionary or encyclopedia intended for long-term use. (For the next edition, Microsoft Press may want to consider a tougher binding system for the book and cover.)

Windows 7 Inside Out Deluxe Edition is organized in six parts, 31 chapters and seven appendices. The parts are:

  • 1. Getting Started
  • 2. File Management
  • 3. Digital Media
  • 4. Security and Networking
  • 5. Tuning, Tweaking, and Troubleshooting
  • 6. Windows 7 and PC Hardware

The appendixes are:

  • A.  Windows 7 Editions at a Glance
  • B. Working with the Command Prompt
  • C. Fixes Included in Windows 7 Service Pack 1
  • D. Windows 7 Certifications
  • E. Some Useful Accessory Program

The goal for Windows 7 Inside Out Deluxe Edition is to provide “a well-rounded look at the features most people use in Windows.” As with most other works from Microsoft Press, this book has numerous illustrations, practical tips and how-to descriptions, and it offers a good index.

One Inside Out tip, for example, explains why Windows 7 won’t let you run more than one antivirus program but why you can run more than one anti-spyware package if you really feel you need to.

The book includes a CD that offers Windows PowerShell scripts, a handy (and infinitely lighter) eBook version of the hardback, and additional resources.  

MeanwhileOptimizing Windows 7 Pocket Consultant, also assumes that you have a little experience with Windows. It is aimed at users, information managers, administrators, help desk personnel “and others who support the operating system,” as well as application developers.

The book’s focus is centered on showing you how to tune and optimize Windows 7 for best performance in your setting and usage.

Optimizing Windows 7 Pocket Consultant has eight chapters, plus one appendix titled “Firmware Interface Options.” The chapters are:

  • 1. Customizing the Windows Interface
  • 2. Personalizing the Appearance of Windows 7
  • 3. Customizing Boot, Startup, and Power Options
  • 4. Organizing, Searching, and Indexing
  • 5. Optimizing Your Computer’s Software
  • 6. Tracking System Performance and Health
  • 7. Analyzing and Logging Performance
  • 8. Optimizing Performance Tips and Techniques

Stanek’s book delivers numerous helpful hints that range from making better use of your start menu to fine-tuning automatic updates, fine-tuning virtual memory and enhancing performance.

For example: “To reduce the performance impact related to reading and writing the system cache from virtual memory, you can configure your computer to uses Windows ReadyBoost.” That feature, Stanek notes, “lets you extend the disk-caching capabilities of the computer’s main memory to a USB flash device that has at least 256 MB of high-speed flash memory.”

Many new Windows 7 users — and many experienced ones, as well — likely will rate these two books as “keepers” for their technical libraries. 

Si Dunn

#

The IDA Pro Book: The Unofficial Guide to the World’s Most Popular Disassembler – #bookreview

The IDA Pro Book: The Unofficial Guide to the World’s Most Popular Disassembler
By Chris Eagle
(No Starch Press, $69.95, paperback; $55.95, Kindle)

The popular interactive disassembler IDA Pro helps reverse engineers, malware analysts, vulnerability testers and others dissect computer programs when source code is not available.

Unfortunately, IDA Pro is updated so frequently, it’s impossible for writers to keep up and present complete guides to this “complex piece of software with more features than can even be mentioned, let alone detailed in a book of reasonable size….”

Chris Eagle, author of The IDA Pro Book, adds in the introduction to this second edition that he was inspired to update his well-respected guidebook when “a new, Qt-based graphical user interface” was added to IDA Pro 6.0. Yet, true to form, before his new edition could hit the shelves, IDA Pro version 6.1 was released, he notes.

To his credit, his book does not try to be an up-to-the-dot-release user manual. Instead: “My goal…remains to help others get started with IDA and perhaps develop an interest in reverse engineering in general. For anyone looking to get into the reverse engineering field, I can’t stress how important it is that you develop competent programming skills. Ideally, you should love code, perhaps going to far as to eat, sleep, and breathe code. If programming intimidates you, then reverse engineering is probably not for you.”

This updated edition of The IDA Pro Book is well-organized, smoothly written, and nicely illustrated. Eagle avoids the use of long code sequences. He zeroes in, instead, on “short sequences that demonstrate specific points.”

His 646-page book is heavily indexed and is divided into six parts, with 26 chapters and two appendices.

In Part I, “Introduction to IDA,” the focus is on the whats, whys and hows of software disassembly, reversing and disassembly tools, and some background on IDA Pro.

Part II covers “Basic IDA Usage,” including getting started, IDA data displays, disassembly navigation and manipulation, datatypes and data structures, cross-references and graphing, and “the many faces of IDA,” which covers common features of console mode, plus console specifics for Windows, Linux and OS X.

Part III takes the reader into “Advanced IDA Usage.” These chapters examine IDA customization, library recognition using Fast Library Acquisition for Identification and Recognition (FLIRT) signatures, “augmenting IDA’s knowledge” and “patching binaries and other IDA limitations.”

Part IV is devoted to “Extending IDA’s Capabilities.” The topics covered include IDA scripting, the IDA software development kit, IDA’s plug-in architecture, binary files and IDA loader modules, and IDA processor modules.

Part V’s focus is “Real-World Applications.”The chapter subjects include: compiler “personalities”; “obfuscated” code analysis; vulnerability analysis; and real-world plug-ins for IDA.

In Part VI, Eagle looks at the IDA debugger. Chapter subjects include the debugger, disassemble/debugger integration, and additional debugger features.

Appendix A is an overview of IDA Freeware 5.0, “a significant upgrade” from the 4.9 release of the free version of IDA, yet still “a reduced capability application that typically lags behind the latest available version of IDA by several generations and contains substantially fewer capabilities than the commercial version of IDA version 5.0,” Eagle notes.

Appendix B provides a table that maps “IDC scripting functions to their SDK implementation. The intent of this table is to help programmers familiar with IDC understand how similar actions are carried out using SDK functions.”

IDA Pro software’s creator, Ilfak Guilfanov, has hailed this book as “profound, comprehensive, and accurate.” It’s hard to do much better than that with an “unofficial guide” to a powerful and complex software package.

 — Si Dunn

#