From: secedu@all.net Reply-to: secedu@all.net Organization: Information Security Educators Mailing List Subject: Information Security Educators Mailing List 1999-02-10
--------------------------------------------- From: "Rob Slade, doting grandpa of Ryan and Trevor"Organization: Vancouver Institute for Research into User Date: Wed, 10 Feb 1999 12:19:41 -0800 BKFICMCR.RVW 981106 "Fighting Computer Crime", Donn B. Parker, 1998, 0-471-16378-3, U$34.99/C$49.50 %A Donn B. Parker dparker@sric.sri.com %C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8 %D 1998 %G 0-471-16378-3 %I John Wiley & Sons, Inc. %O U$34.99/C$49.50 416-236-4433 fax: 416-236-4448 rlangloi@wiley.com %P 512 p. %T "Fighting Computer Crime: A New Framework for Protecting Information" Parker feels that too much of the data security field concentrates on technical answers to the problems of reliability, integrity, and availability of data, and doesn't pay sufficient attention to those people who are deliberately out to read, steal, or ruin your information and systems. Personally, I find it rather ironic that he defines "crimoids," in chapter one, as minor events promoted to much higher significance by the media, and public misperceptions. In the non-specialist realm, more people spend more time worrying about "hackers" than ever back up their drives. (I am reminded of a friend; an intelligent and educated person who started his career programming large and sophisticated information systems and who has now risen to the executive ranks; who has for years refused to get a modem for his home computer. In spite of his frequently expressed desire for access to the Internet, and my repeated assurances that with his current computer and operating system there is no hidden danger, he remains convinced that the mere attachment of a modem to his machine will allow someone to break into his computer and damage it.) Who, then, is this book written for? The author does not say, but what he does say in the preface seems to indicate that he is not writing for those whose business cards make reference to security. (I have neither argument nor inclination to dispute Parker's assertion that security "professionals" do not really deserve the designation.) But if this text is aimed at the general public, chapter one's emphasis on the dangers and lack of protection would seem more inclined to incite further panic, rather than a realistic and measured response. Chapter two is an interesting and useful examination of an often unasked question in the field: what is the nature of the information we are supposedly securing? There are valuable side points, such as both the danger and the opportunity in the security arena presented by the Year 2000 problem. At the same time, I have to note that an erroneous description of the Cascade virus is an example of Parker's asserting points that are just beyond the available facts, and, for me anyway, has an unfortunate effect on the trustworthiness of the work as a whole. The review of cybercrime, in chapter three, has more reference to journalism and other forms of fiction than to reality, but I have to agree with everything said there. Computer misuse and abuse is discussed in chapter four. (As if to make up for chapter two, the section on viruses is very good.) Network misuse is covered in chapter five, and although I still have trouble believing in the reality of salami attacks (Parker's sole example is said to have resulted in a conviction, but no citation is given) I am a bit more willing to accept his broader definition. Chapter six is extremely strong in portraying a realistic and broadly based analysis of characteristics of computer criminals. A similarly informed and balanced approach distinguishes chapter seven, regarding hacker culture, but there is also a universally condemnatory tone that is not wholly justified by the facts as presented. Chapter eight is a very helpful first step for those wanting to deal in the art of computer security. Chapter nine reviews the deficiencies in most current security practices, noting overprotection in some areas while ignoring loopholes in others, and a flowery jargon that serves mostly to hide the fact that security people just don't feel very comfortable with what is going on. However, Parker's new model of security, in chapter ten, while it is very clear and useful, does not extend recent work in, say, electronic commerce. On the one hand, this congruence does support the model, but on the other, one can't really say it is too novel. The popular, but demonstrably incomplete, risk assessment study is de-emphasized in favour of a more difficult, but more realistic, baseline security standard in chapter eleven. Details on how to conduct such a study are very helpfully given in chapter twelve, although the benchmark chart is going to be much harder to come by than is made clear in the text. Chapter thirteen provides a practical and useful set of criteria for determining control objectives. A number of security tactics are detailed in chapter fourteen. Chapter fifteen takes the larger strategic view. (I was delighted to see the inclusion of a section on corporate ethics in this chapter. Recently I contracted to produce a security document for an educational institution, and was told to take the section on ethics out.) Management of security, in chapter sixteen, includes provisions for training, policy, and other factors. Chapter seventeen finishes off with a look to the future. The material, while thought- provoking, is possibly more likely to generate arguments than solutions. Parker's stance on security in general definitely puts him in the camp of the professional paranoids. However, absent the first and last chapters, there is a lot of good, solid knowledge here to help educate any security practitioner. The material in the second half of the book is just as valuable to the security process as the more technical works such as "Practical UNIX and Internet Security" (cf. BKPRUISC.RVW) by Spafford and Garfinkel, albeit in quite a different way. An informed security policy is every bit as important as a good set of "access" controls. copyright Robert M. Slade, 1998 BKFICMCR.RVW 981106 ====================== rslade@vcn.bc.ca rslade@sprint.ca robertslade@usa.net p1@canada.com Find virus, book info http://victoria.tc.ca/techrev/rms.htm Mirrored at http://sun.soci.niu.edu/~rslade/rms.htm Linked to bookstore at http://www97.pair.com/robslade/ Robert Slade's Guide to Computer Viruses, 0-387-94663-2 (800-SPRINGER) --------------------------------------------- Date: Tue, 9 Feb 1999 15:13:28 -0700 From: cult hero 0849381584.rev 990131 "Investigating Computer Crime", Clark/Diliberto, 1996, 0-8493-8158-4, U$49.95 %A Franklin Clark, Ken Diliberto %C 2000 Corporate Blvd, N.W., Boca Raton, FL 33431 %D 1996 %E n/a %G 0-8493-8158-4 %I CRC Press, INC %O U$49.95 %P 228 p. %T "Investigating Computer Crime" Chapter 1 - "Computer Search Warrant Team": Chapter one starts out quick and to the point. In this three page chapter, the authors outline six groups that make up a computer search warrant team. Supervisor, Interview Team, Sketch/Photo team, Physical search team, security/arrest, and technical evidence seizure team. Chapter 2 - "Comptuer-Related Evidence": A detailed list of types of evidence that can be found at a subject's location. The chapter lists types of evidence, shows where it might be found, gives examples, as well as includes pictures. Unfortunately, the common stereotyping of hackers begins here which may distract the reader from the facts. Chapter 3 - "Investigative Tool Box": Every investigative team shuold carry a toolkit to effectively perform their duties. The advice and recommendations in this chapter seem to focus on MSDOS and Win 3.1 systems. Programs and software tend to be Windows based commercial programs. Little mention is made of OS/2, UNIX, or more obscure OSs. Chapter 4 - "Crime Scene Investigation": Each investigation must go through certain steps to be effectively completed. Starting with scene evaluation and ending with "completing the search". This chapter goes stey by step through the required process. Chapter 5 - "Making a Boot Disk": Once again, this chapter seems to focus on MSDOS based systems. Those investigating Unix or NT systems will not benefit from the information here. Since a majority of systems are now 95, NT, or Unix, this chapter could stand for a second version. Chapter 6 - "Simple Overview of Seizing a Computer": Chapter six is nothing more than a three page checklist overview of the steps in seizing a computer. Unfortunately, it doesn't go into much detail or prepare the reader for uncommon occurances. Chapter 7 - "Evidence Evaluation and Analysis": Once the material has been collected from the subject computer, the long process of examining the files begins. Covering the different types of files like spreadsheets, databases, or graphics, this chapter focuses on DOS or Win based comptuers. Chapter 8 - "Investigating Floppies": Much like the previous chapter, this one applies to any floppy disks seized in a warrant. Chapter 9 - "Common File Extensions": A three page list of common file extensions. Aside from the duplicate entries (like 'gif'), there is a noticeable lack of other extremely common extensions like 'tar', 'gz', or 'arj'. Chapter 10 - "Passwords and Encryption": While covering passwords and elements of good password security, the chapter falls very short on practical encryption. Someone new to investigating comptuer crime is likely to walk away thinking that encryption will not be a big hurdle when encountered. Rather than cover more on PGP, CFS, or SFS, the chapter goes into BBS passwords, Quicken, Word Perfect, and similar programs. Chapter 11 - "Investigating Bulletin Boards": The obvious base of the author's experience, this chapter goes into details on BBSs, their operation, finding them, and more. Along with some information on elements of a BBS, suggestions are made for the L.E. officer poking around new BBSs. Guidelines for investigators trying to infiltrate a BBS are given, but the concept of fitting in seems to fall short. Chapter 12 - "'Elite' Acronyms": The mere existance of this chapter along with the short list suggest the authors don't fully graps the depth of the 'underground' scene. While listing some obscure groups I have personally never heard of, they leave off well known and overly used acronyms often used among the scene. Chapter 13 - "Networks": Perhaps one of the more concise chapters, this section gives a good summary of networks, network devices, and network operating systems. Understanding networks is the key to properly investigating. Chapter 14 - "Ideal Investigative Computer Systems": Though written in 1996, the recommend systems for investigators as outlined seems appropriately detailed. However, while the outline does provide a decent foundation for new investigators to work from, it seems rather short-sighted. Chapter 15 - "Court Procedures": Often one of the more elusive and more misunderstood components of a comptuer crime investigation, the court procedures are often the most critical. This chapter touches on expert witnesses, pretrial preperation, terminology, and more. Chapter 16 - "Search Warrants": By citing case law and specific examples the authors have encountered, the a good coverage of details on types and differences of various search warrants is presented. Included in the chapter are sample warrants from previous cases to give the reader a solid idea of what they encompass. Overview: For someone new to investigating computer crime, this is the ideal book for you. Not only does it cover most aspects of an investigation, it does so by providing examples and pictures for re-enforcement. To the experienced investigator, the book may fill in a few small gaps or bring to light a new element previously overlooked. Lastly, to anyone working on cases involving unix or the internet, this book is not for you. --------------------------------------------- Date: Tue, 9 Feb 1999 15:14:06 -0700 From: cult hero 0936653744.rev 990119 "Cyber Crime, How to Protect Yourself from Computer Criminals", Laura E. Quarantiello, 0-936653-74-4, U$16.95 %A Laura E. Quarantiello %C P.O. Box 493, Lake Geneva, WI 53147 %D 1996 %E n/a %G 0-936653-74-4 %I Tiare Publications/Limelight Books %O U$16.95 %P 141 p. %T "Cyber Crime, How to Protect Yourself from Computer Criminals" Part One: Chapter One - 'Terrorism On Line: Inside Comptuer Crime': Chapter one opens with defining computer crime, and does a decent (and fair) job of defining why hackers hack. "In the end, it all comes down to one of those six reasons." Chapter Two - 'Computer Criminals and their Crimes: Digital Outlaws': Starting out with 'phreaking', the author gives a brief history of hackers and the phone systems. Unfortunately, a serious lack of research shines through in this chapter, where a list of "phreaker boxes" is quoted. It has been well established that a majority of these boxes never worked, and were litle more than wishful thinking by hackers with little knowledge of the phone system. The rest of the chapter delves into different aspects of hacking and how hackers evolved. Chapter Three - 'Cyber-Sneezes: Viruses': As with most computer security books, this is the token chapter on computer Viruses. Chapter Four - 'The Darkest Side to Computer Crime: Threats to Your Personal Safety and Property': Chapter four begins by giving contrast between crime and virtual crime. One admirable feature is the clarification that not all online pedestrians will be mugged by cybercriminals. Unfortunately, a good portion of the chapter deals with 'stalking', pornography, and child pornography, which seems out of place in contrast with other sections. Part Two: Chapter Five - 'Cyber Security: Foiling Computer Criminals and Staying Safe': This chapter suffers the problem of trying to squeeze too much information into a small place. Writing about how to secure your systems should take books. Starting out with the idea of 'weak links', they abruptly end after two and move into other non-numbered categories. While a decent effort, it brings its failure upon itself by trying. Chapter Six - 'Cyber-Cops: Walking the Digital Beat': Much to the dismay of law enforcement, this chapter paints a relatively accurate picture of the state of comptuer crime and law enforcement's ability to deal with it. (Considering when the book was written). Toward the end of the section, contact info for CERT and the advice to call the FBI is given. The exact organizations the author found lacking. Overview: For a 100 page, 1 hour read, this book does a better than average job of portraying computer crime. Despite the handful of errors, the author gives a fair overview of computer crime, hackers, and law enforcement. review: jericho@dimensional.com --------------------------------------------- Date: Tue, 9 Feb 1999 15:14:22 -0700 From: cult hero 0929408217.rev 0898 "The Happy Hacker: A Guide to (Mostly) Harmless Computer Hacking", Carolyn P. Meinel, 0-929408-21-7, U$29.99 %A Carolyn Meinel cmeinel@techbroker.com %C POBox 1507, Show Low, AZ 85901 %D 1998 %G 0-929408-21-7 %I American Eagle Publications, Inc %O U$29.99 %P 268 %T "The Happy Hacker: A Guide to (Mostly) Harmless Computer Hacking" Technical Editors: John D. Robinson, Roger A. Prata, Daniel Gilkerson Damian bates, Mark Schmitz, Troy Larsen My first impression of the book was a make money fast scheme gone wrong. Cashing in on the buzzword of the 90's, Ms. Meinel runs the word 'hacker' into the ground by the end of chapter 1. Looking past the glaring errors in grammar and spelling, the reader must deal with the constant technical errors, contradictions, and overall lacking 'style' the author uses. The book consists of material that has mostly been published on the web in various states (also technically incorrect), and brings no new insight to the subject she claims to teach. As far as teaching 'hacking', I couldn't find a single quality reference or section that dealt with hacking. Considering the questionable past of the author, the book furthers thoughts that she has no experience as a hacker, security consultant, or anything related to computers at all. What most people consider novelty 'tricks' like changing a Win95 bootup screen, Ms Meinel touts as 'hacking'. The continued reference to Windows 95 and lack of unix information further suggests the book isn't about hacking at all, rather simple tricks and documented options that can be found in most Windows books. For those interested in learning hacking, stick to more positive sources. Check out some other security books or online resources. Hacking is not something that can be taught from a book, it is more a state of mind and desire to learn. After reading this book, users can expect to find themselves in a confused state with more questions than they started with. Unfortunately, they find themselves with no more insight on where the answers may be found either. Page 67: "I make my living asking dumb questions." Quoted material is straight from the author's mouth, and seems to be dead on with the technical level of the book. review by: jericho@dimensional.com copyright 1998