About Duffbert...

Duffbert's Random Musings is a blog where I talk about whatever happens to be running through my head at any given moment... I'm Thomas Duff, and you can find out more about me here...

Email Me!

Search This Site!

Custom Search

I'm published!

Co-author of the book IBM Lotus Sametime 8 Essentials: A User's Guide
SametimeBookCoverImage.jpg

Purchase on Amazon

Co-author of the book IBM Sametime 8.5.2 Administration Guide
SametimeAdminBookCoverImage.jpg

Purchase on Amazon

MiscLinks

Visitor Count...



View My Stats

« Book Review - The U.S. Army Survival Manual: Department of the Army Field Manual 21-76 | Main| When business cliches lose their meaning... a new "paradigm" »

Book Review - Hacking: The Next Generation by Nitesh Dhanjani, Billy Rios, and Brett Hardin

Category Book Review Nitesh Dhanjani Billy Rios Brett Hardin Hacking: The Next Generation
A picture named M2

I've read my share of hacking books over the years, and usually most of the books focus on the same topics... pointer overflows, brute force password hacks, etc.  But with all the movement towards Web 2.0, the Cloud, and social networks, is it possible that hacking vectors have shifted somewhat into areas we don't normally worry about?  After reading Hacking: The Next Generation by Nitesh Dhanjani, Billy Rios, and Brett Hardin, the answer is definitely yes.  There's a whole new series of things to worry about, both from a corporate and a personal level.

Contents:
Intelligence Gathering: Peering Through the Windows to Your Organization
Inside-Out Attacks: The Attacker Is the Insider
The Way It Works: There Is No Patch
Blended Threats: When Applications Exploit Each Other
Cloud Insecurity: Sharing the Cloud with Your Enemy
Abusing Mobile Devices: Targeting Your Mobile Workforce
Infiltrating the Phishing Underground: Learning from Online Criminals?
Influencing Your Victims: Do What We Tell You, Please
Hacking Executives: Can Your CEO Spot a Targeted Attack?
Case Studies: Different Perspectives
Chapter 2 Source Code Samples
Cache_Snoop.pl
Index

Yes, the deeply technical hacks still exist, the ones that rely on badly coded software to gain privileges you aren't granted.  But in some ways, the hacks are getting easier, or at least more available to those who are not hardcore techheads.  Take for instance, blended threats.  This is an interesting concepts that shows how interconnected software environments have become.  In the example they use, Microsoft had a minor vulnerability in XP and Vista, while Apple had a minor vulnerability in their Safari browser.  Both vendors didn't feel that either item was critical.  That changed (at least for Microsoft) when someone used the behavior in Safari running on Windows to place a dll file on the Windows desktop.  This dll file was then used by IE7 when starting up, overriding the use of the real dll in the proper Window directories.  You can imagine how this would lead to "undesirable consequences."  

And if that's not enough, imagine the potential of hacks in the Cloud.  The authors show how one could hack an administration console to a Cloud provider, allowing someone to modify a number of parameters of a Cloud account.  Or... if your attack target runs on the Cloud and is charged based on bandwidth and CPU, imagine what you could do to this target if you were to launch a distributed denial of service attack using the Cloud as the attacking client.  The resources are almost limitless, and the target will get hit with charges that escalate at an incredible rate.  Not a comforting thought if you've trusted your business to "the Cloud"...

I also noticed that more and more, hacking is not so much about taking over hardware as it is about getting a pipeline to timely information.  For instance, more and more people are using shared and public calendars to manage their daily work.  It's not uncommon to be able to search and find conference call details that aren't removed from the entry.  If you find this info, it's very possible that you can call in to the number, remain on mute, and pick up vital information that can be of value to you or other companies.  This type of hack isn't technical in the least.  It's just a mix of Google searching and ignorant/non-cautious users.

I'd really recommend Hacking: The Next Generation to my fellow techies.  More important than learning new ways to mess with each other's minds, it will expose you to a number of new attack vectors that you may not have considered.  And in most cases, simple awareness of those new vectors is enough to allow you to start to defend against them.

Disclosure:
Obtained From: Publisher
Payment: Free

Post A Comment

:-D:-o:-p:-x:-(:-):-\:angry::cool::cry::emb::grin::huh::laugh::lips::rolleyes:;-)

Want to support this blog or just say thanks?

When you shop Amazon, start your shopping experience here.

When you do that, all your purchases during that session earn me an affiliate commission via the Amazon Affiliate program. You don't have to buy the book I linked you to (although I wouldn't complain!). Simply use that as your starting point.

Thanks!

Thomas "Duffbert" Duff

Ads of Relevance...

Monthly Archives