8

The main work follows the lead of its titlein chapter 7 with 16 things hackers don’twant us to know, starting with “firewallsare just the beginning,” and ending with“the future is looking bright”.

Crume is articulate and rarely repeatshimself. His prose is redolent withanalogies. Anyone interested in crypto-analysis will find his appendix tutorialenlightening and helpful. However, Iwould have liked to see more specific exam-ples explained, like the one about theexploitation of Standard Access Manage-ment Systems (SAMS) by hackers on Unix.

This book is not a policy documentfor security, nor a solution for any partic-ular system.

Initially it resembles a reference textand even has numbered paragraphs, forexample, 12.4.2, but it reads more like asupporting text for some kind of coursein the fundamentals of network security.

It is not a deep book, but achieves itsmain objective: to examine the mindsetof the hacker. The first seven chapters arelike a primer and will appeal to tyros andthose who would appreciate some hand-holding to get them started.

One memorable anecdote is, “Hackersdon’t want you to know that your corpo-rate network may be a lot more like aparty line than a private line.”

Indeed some interesting facts may begleaned about the practice of sniffing.

The normal mode for a network client isonly to read the header of a packet to seeif the message is destined for itself.However, it is possible for an adaptor tobe switched to promiscuous mode —ideal for an eavesdropping hacker. Suchsniffing software has legitimate uses, butis a potential security hole. Crumeinforms us about AntiSnif from L0phtHeavy Industries, an example of availablesoftware that can help plug such holes.

In chapter 16, Crume writes, “Nowanyone can launch a debilitating attackeven though they have no idea how itactually works.”

Worried yet? Crume demystifies notorious and inane distributed denial-of-service (DDoS) attacks. Look to yourvulnerable server memory buffers.

From my perspective as a Web manager, I found chapter 18 the mostinteresting. This is where Crume informsus that hackers don’t want us to know thatactive content is more active than we think.Crume reminds us that for two years nowthe Java 2 standard has knocked down,“the walls of the sandbox”, and he explainsthe evils of ‘Web spoofing’, a con-game onthe Web which enables ‘active hacking’.

He points out that what seems safe intheory, like JavaScript, may not be safedue to flaws in our code and flaws in thebrowser’s internal interpreters. It is scarystuff...

If you think that passwords are safe,think again. Crume jolts one from com-placency in this area too, “A 4-digitnumeric password could be cracked on amodest PC in 0.02 seconds — fasterthan you can blink your eyes.”

In a section about proving one’s identi-ty on the network, he is more upbeat,“Biometric solutions often are the mostcostly of all but they have the potentialto be the most secure.”

As a primer it is an excellent easy readfrom beginning to end; but experiencedreaders could start from chapter 8. It isnot cheap, but it does deliver preciselywhat it promises in its title.

Graham Roberts

Inside Internet Security— What Hackers Don’tWant You To KnowJeff Crume, Pearson Education Limited, £29.95

Our subscribers will not be surprised to read that E-commerce and the openingup of corporate computer networks to external customers make security a vitalconcern for networking professionals. Crume believes that much fear arises from lack of information. He argues that hackers are predators exploiting ourvulnerabilities but that we can put their threat into perspective and constructrealistic defences. As the eponymous title proclaims, he seeks to disseminatewhat hackers don’t want us to know; turning the tables, he ‘hacks’ the hackers.

BOOK REVIEW

Password pleaseAccording to a report from Signify,the top five ways to crack passwordauthentication are:1. Shoulder snooping2. Guess work 3. Cracking using tools like

L0phtCrack4. Keyboard tapping with a tool such

as NetBus or BackOrifice5. Virus infection — Trojan horses

are the most popular.According to a survey by BarronMcCann, 92% of IT managers preferto use passwords as protection fromwould-be data thieves.