A Bug Hunter’s Diary: A Guided Tour through the Wilds of Software Security – #programming #bookreview

A Bug Hunter’s Diary: A Guided Tour through the Wilds of Software Security
By Tobias Klein
(No Starch Press, paperback, list price $39.95; Kindle edition, list price $31.95)

If your passion or desire is to find and kill software bugs and fight hackers, you should check out this well-written how-to book.

Tobias Klein, an information security specialist, has tracked down many difficult bugs and identified security vulnerabilities in some of the world’s best-known software, including Apple’s iOS, the Mac OS X kernel, web browsers, and the VLC media player, among others.

Using a diary approach, plus code examples and illustrations, Klein describes a bug he has just discovered in a software package. Then he illustrates how it creates a security vulnerability that a hacker could exploit, and he describes how to fix or at least reduce its risks.

Chapters 2 through 8 each focus on separate bugs, and Klein includes a list of “lessons learned” for programmers who want to avoid creating similar problems.

Klein’s well-illustrated book is organized as follows:

  • Chapter 1: Bug Hunting – (a brief overview.)
  • Chapter 2: Back to the ‘90s – (shows how he discovered a bug and vulnerability in a Tivo movie file that allowed him to crash a VLC media player and gain control of the instruction pointer.)
  • Chapter 3: Escape from the WWW Zone – (illustrates how and where he found a bug in the Solaris kernel and the “exciting challenge” of demonstrating how it could be exploited for arbitrary code execution.)
  • Chapter 4: Null Pointer FTW – (describes “a really beautiful bug” that opened a vulnerability into “the FFmpeg multimedia library that is used by many popular software projects, including Google Chrome, VLC media player, MPlayer, and Xine to name just a few.”)
  • Chapter 5: Browse and You’re Owned – (discusses how he found an exploitable bug in an ActiveX control for Internet Explorer.)
  • Chapter 6: One Kernel to Rule Them All – (focuses on how he decided to search for bugs in some third-party Microsoft Windows drivers and found one in an antivirus software package.)
  • Chapter 7: A Bug Older than 4.4BSD – (how he found an exploitable bug in the XNU kernel OS X.)
  • Chapter 8: The Ringtone Massacre – (how he found an exploitable bug in an early version of the iPhone’s MobileSafari browser that enabled him to modify ringtone files and access the program counter.)
  • Appendix A: Hints for Hunting – (“…some vulnerability classes, exploitation techniques, and common issues that can lead to bugs.”)
  • Appendix B: Debugging – (about debuggers and the debugging process.)
  • Appendix C: Mitigation – (discusses mitigation techniques.)

Tobias Klein is the author of two previous information security books that were published in Germany. Because hackers use many of the same tools as those seeking to keep them out, there is an important limit on how much detail Klein is able to impart in this book.

As he notes in a disclaimer: “The goal of this book is to teach readers how to identify, protect against, and mitigate software security vulnerabilities. Understanding the techniques used to find and exploit vulnerabilities is necessary to thoroughly grasp the underlying problems and appropriate mitigation techniques. Since 2007, it is no longer legal to create or distribute “hacking tools” in Germany, my home country. Therefore, to comply with the law, no full working exploit code is provided in this book. The examples simply show the steps used to gain control of the execution flow (the instruction pointer or program counter control) of a vulnerable program.”

Si Dunn

Here’s the book scaring me this Halloween: America the Vulnerable – #bookreview #data #security

Subtitled “Inside the New Threat Matrix of Digital Espionage, Crime, and Warfare,” America the Vulnerable is written by Joel Brenner, former inspector general at the National Security Agency.

Brenner has recent experience at the highest levels in national intelligence, counterintelligence and data security. And he has studied firsthand many of the threats and attacks against our national, corporate and personal interests.

“During my tenure in government,” he writes, “I came to understand how steeply new technology has tipped the balance in favor of those–from freelance hackers to Russian mobsters to terrorists to states like China and Iran–who want to learn the secrets we keep, whether for national, corporate, or personal security.” He adds: “The truth I saw was brutal and intense: Electronic thieves are stripping us blind.”

Everything from Social Security numbers to technological secrets that cost billions to develop are being taken — stolen from military and corporate data networks and individual computers, possibly including yours.

His book will leave you wide-eyed and wondering who is surreptitiously poking around inside your computer right at this moment and what they are taking or “borrowing” for sinister purposes.

 Likely the Chinese and the Iranians and Russian mobsters and others, including hackers, are in there or have been there recently.

And Brenner explains how you may be unknowingly helping them find and transfer sensitive and vital information, even when you do something seemingly innocuous as plugging in a thumb drive to your laptop.

You won’t need to watch any monster movies to get scared this Halloween. Brenner’s book or its Kindle version can give you a very serious case of chills and frights. 

Si Dunn

Configuring Microsoft SharePoint 2010 – Self-Study Guide for MCTS exam 70-667 – #microsoft #bookreview

Configuring Microsoft SharePoint 2010
By Dan Holme and Alistair Matthews
(Microsoft Press, list price $69.99, paperback)

If one of your goals in life is to deploy and manage Microsoft SharePoint Server 2010 farms, here’s your book.

You definitely need it if you are already involved in configuring, customizing and supporting SharePoint and want to take the Microsoft Certified Technology Specialist (MCTS) exam 70-667.

This “2-in-1 Self-Paced Training Kit” follows the successful formula used in many other Microsoft certification test preparation guides.

First, you work through a series of lessons and reviews covering each objective in the exam. Then you apply what you have learned to some real-world case scenarios, and you do some practice exercises. Finally, you plug in the CD that accompanies the book and try your hand at the practice tests.

“You can work through hundreds of questions using multiple testing modes to meet your specific learning needs,” Microsoft promises.

In other words, the material is there if you’re willing to push yourself to learn it. And there is a lot to learn when you work with SharePoint.

One small example: one of the book’s “Best Practices” entries points out that “[y]ou might imagine that the best practice to scale out a farm is simply to add more servers and to continue adding all services to each server. In fact, in larger and more complex environments[,] performance is optimized by dedicating servers to specific tasks.” And the entry briefly explains why.

Another short example: the book describes how “[a]fter you complete your SharePoint installation and the SharePoint Products Configuration Wizard, you often run the Initial Farm Configuration Wizard.” But then it explains why you should not use this tool to configure My Sites, “because the resulting configuration is not considered secure.”

Indeed, the co-authors add, that combination can set up a situation where, conceivably, a My Site owner could use scripting attacks “to get Farm Administrator privileges.”

The book has 821 pages and is divided into 12 chapters:

  1. Creating a SharePoint 2010 Intranet
  2. Administering and Automating SharePoint
  3. Managing Web Applications
  4. Administering and Securing SharePoint Content
  5. Service Applications and the Managed Metadata Service
  6. Configuring User Profiles and Social Networking
  7. Administering SharePoint Search
  8. Implementing Enterprise Service Applications
  9. Deploying and Upgrading to SharePoint 2010
  10. Administering SharePoint Customization
  11. Implementing Business Continuity
  12. Monitoring and Optimizing SharePoint Performance

As an added inducement to buy the book, it includes a discount voucher good for 15 percent off the price of one Microsoft Certification exam.

Again, Configuring Microsoft SharePoint 2010 is not a book for SharePoint beginners.

 The co-authors note: “The MCTS exam and this book assume that you have at least one year of experience configuring SharePoint and related technologies, including Internet Information Services (IIS), Windows Server 2008, Active Directory, DNS, SQL Server, and networking infrastructure services.”

The writers recommend using virtual machines to do the training exercises in their book. And they assume you will “use virtualization software that supports snapshots, so that you can roll back to a previous state after performing an exercise.”

They also give information and limitations on using multiple virtual machines on a single host. And their book providess download links to evaluation versions of the software needed to do the exercises.

The book’s accompanying CD offers one other learning convenience: an e-book version of the hefty text.

Si Dunn

Two New Microsoft Books for Visual Basic & Visual Studio – #programming #bookreview

The two new books are Microsoft Visual Basic 2010 Developer’s Handbook by Klaus Löffelmann and Sarika Calla Purohoit ($59.99, paperback;  $47.99, Kindle ), and Coding Faster: Getting More Productive with Microsoft Visual Studio by Zain Naboulsi and Sara Ford (list price $39.95, paperback;  list price $31.99, Kindle) .

If you don’t yet have some background in object-oriented programming, you may not be ready to have either of these hefty, well-produced books. But if you are gearing up to develop or update programs in Visual Basic, you likely can benefit from both.

Why both? The reason is simple. “These days,” the co-authors of the Developer’s Handbook point out, “programming in Visual Basic means that you are very likely to spend 99.999 percent of your time in Microsoft Visual Studio. The rest of the time you probably spend searching for code files from other projects and binding them into your current project…”

The Developer’s Handbook is divided into six well-written parts and 28 chapters, with plenty of screenshots, code examples and programming tips.

The parts are:

  1. Beginning with Language and Tools
  2. Object-Oriented Programming
  3. Programming with .NET Framework Data Structures
  4. Development Simplifications in Visual Basic 2010
  5. Language-Integrated Query—LINQ
  6. Parallelizing Applications (programming with the Task Parallel Library, TPL)

Most of the chapters have exercises where you can “interactively try out new material learned in the main text.” All of the code samples can be downloaded from two sites described in the book.

Meanwhile, the main goal of Coding Faster: Getting More Productive with Microsoft Visual Studio is “to arm you with techniques that you can apply immediately to improve productivity,” the book’s co-authors state. “Use the content in this book anywhere, anytime, to dramatically reduce the time required to perform just about any task in Visual Studio.”

They note: “Within these pages are—for the first time ever—the keyboard mapping shortcuts, commands, and menu paths for features, along with detailed descriptions of how to use them.”

Coding Faster covers the 2005, 2008 and 2010 versions of Visual Studio. The 444-page book is divided into two major sections – “Productivity Techniques” and “Extensions for Visual Studio”—and eight chapters, all copiously illustrated with screenshots. The chapters are:

  1. Getting Started
  2. Projects and Items
  3. Getting to Know the Environment
  4. Working with Documents
  5. Finding Things
  6. Writing Code
  7. Debugging
  8. Visual Studio Extensions

Coding Faster is a “fully revised and expanded version” of a previous guidebook: Visual Studio Tips: 251 Ways to Improve Your Productivity, and the new book (more than 365 tips) provides a link to an online appendix for additional tips.

If you have some programming experience but are new to developing or updating Visual Basic programs, Coding Faster could be a very handy guidebook for getting good at Visual Studio in a hurry.

Si Dunn