Chained Exploits

Author: Andrew Whitaker, Keatron Evans & Jack B. Voth
Publisher: Addison Wesley, 2009
ISBN: 978-0321498816
Aimed at: Network managers concerned with security
Rating: 4.5
Pros: A novel approach that makes for a good read
Cons: Technical level fairly low
Reviewed by: Mike James

The idea is a good one. Tell a story based around a multifaceted attack on a website or some other system. Motivate it as if it was a novel using a character - Phoenix - and a lot of other characters who generally irritate him to the point where it seems quite reasonable that he should want to get even. The phoenix character isn't all together a fixed character and he tends to mutate as the plot dictates and who exactly is writing the story. As a result some are better than others and they tend not to hang together as well as they could.

However don't get the idea that our "hero" is a super hacker. In most of the stories Phoenix comes across as a distinct beginner in the technical matters that he has to master to launch the attack. This isn't unreasonable as, motivated by the desire to get even or get rich, many a hacker will put in long hours to master some obscure tool or technology - exactly like any programmer. This also gives the authors the chance to ruminate about what sorts of approaches might work.

The "chained" in the title refers to the fact that this isn't a simple - malware in the system type of attack. Phoenix plans elaborate multi-step attacks which involve achieving five or six sub-goals on the way to the final objective. Of course any of the steps could fail and mean that the entire plan has to be revised. This is the sense in which many of the scenarios are fictionalised. It's a bit like the burglar about to give up because the front door was too strong but notices at the last moment that the upstairs window is open a crack. In this sense the exploits aren't particularly repeatable with any certainty because chance and the authors imagination plays a role in most of them.

If you a hoping for technical detail then there is plenty - but much of it should be well known to you if you are a network admin or a programmer. Going beyond the basics a few tools are used which you might not know, but again nothing really new and overall the technical level is quite low - SQL injection attacks, root kits, lock picking and so on. In addition most of the exploits rely on some level of social engineering. Phoenix talks his way into a building, gets information on printouts from a janitor, breaks into a building and so on. These are all very realistic attack modes for a professional. Indeed as the book says, amateurs use technical attacks and professionals use social engineering to acquire user names and passwords. After all why use a password cracker when you can simply con the information out of someone. Indeed at various points you might actually argue that some of the more round about technical attacks would be better replaced by a quick and easy traditional approach - why not just kidnap the manager, extract the password using torture, drive a truck through the front door of the bank and get a sawn-off shotgun as a hardware tool! This idea becomes even more obvious when we reach the discussion of how to pick a lock or fool a biometric device.

The message is that real hacking is closer to the traditional con trick aided by some technology than it is to a pure intellectual pursuit.

Despite all its shortcomings this is quite a fun book. If you are a security expert then you will know all of this stuff already. In fact even if you are not a security expert but just an interested observer most of it won't come as a great surprise. Where the book might do most good is in educating the less technical reader just how it could all happen - scary stories to be read in bed when the network is safely tucked up for the night.

Last Updated ( Monday, 10 August 2009 )