Arts & Photography
Audio CDs
Audiocassettes
Biographies & Memoirs
Business & Investing
Children's Books
Christianity
Comics & Graphic Novels
Computers & Internet
Cooking, Food & Wine
Entertainment
Gay & Lesbian
Health, Mind & Body
History
Home & Garden
Horror
Literature & Fiction
Mystery & Thrillers
Nonfiction
Outdoors & Nature
Parenting & Families
Professional & Technical
Reference
Religion & Spirituality
Romance
Science
Science Fiction & Fantasy
Sports
Teens
Travel
Women's Fiction
|
 |
Gray Hat Hacking : The Ethical Hacker's Handbook (One-Off) |
List Price: $49.99
Your Price: $32.99 |
 |
|
|
|
| Product Info |
Reviews |
<< 1 >>
Rating: 
Summary: Powerhouse authors should provider deeper coverage next time
Review: 'Gray Hat Hacking' (GHH) is positioned as a next-generation book for so-called ethical hackers, moving beyond the tool-centric discussions of books like 'Hacking Exposed.' The authors leave their definition of 'gray hat' unresolved until ch 3, where they claim that a 'white hat' is a person who 'uncovers a vulnerability and exploits it with authorization;' a 'black hat' is one who 'uncovers a vulnerability and illegally exploits it and/or tells others how to;' and a 'gray hat' is one who 'uncovers a vulnerability, does not illegally exploit it or tell others how to do it, but works with the vendor.' I disagree and prefer SearchSecurity.com's definitions, where white hats find vulnerabilities and tell vendors without providing public exploit code; black hats find vulnerabilities, code exploits, and maliciously attack victims; and gray hats find vulnerabilities, publish exploits, but do not illegally use them. According to these more common definitions, the book should have been called 'White Hat Hacking.' I doubt it would sell as well with that title!
Content-wise, the book mixes ethical and legal advice with tool overviews and technical information. Many reviewers note the good legal overview in ch 3, where I found the tables summarizing various laws to be helpful. The authors provide a sound rationale for penetration testing: 'Nothing should be trusted until it is tested' (p. 13). I enjoyed the disclosure discussion in ch 3 as well. I liked the brief tool descriptions of Core IMPACT, Immunity Security's CANVAS, and the Metasploit Framework. Some of the other discussions (e.g., Amap, P0f, Ettercap) didn't go deeper than already published explanations of those same tools.
I found the technical material to be accurate albeit somewhat disorganized and in some cases far too shallow. For example, the authors provide 6 pages on Python (ch 6), 6 pages on C (ch 7), and a single 21 page chapter (ch 10) mentioning system calls, socket programming, and assembly language. On p 279 and several other places the authors admit their topic 'deserves a chapter to itself, if not an entire book!' They should have trusted their instincts and required readers to have prior knowledge of programming in low- and high-level languages prior to reading GHH. Instead, short sections that are too basic for the pros but too rushed for beginners detract from the book's focus.
The five authors clearly know their subjects, but they should have coordinated their chapters better. For example, ch 7 introduces using debuggers without even a description of their purpose. Six chapters later (in ch 13), we read a description of debugging only to be followed again by another discussion of debugging in ch 14. All of this should have been consolidated and rationalized.
I think McGraw-Hill/Osborne's second edition of GHH should seek to differentiate itself from more focused books like 'The Shellcoder's Handbook' (by Wiley) and 'Exploiting Software' (by Addison-Wesley). There is a market for high-end security books without sparse introductory material included for the benefit of beginners. Authors should either commit to the beginners and give enough information to enlighten them, or tell them to read foundational references first and concentrate on the more experienced audience. Authors like Allen Harper and Chris Eagle, winners of last year's 'Capture the Flag' contest at Def Con, can deliver the goods if not constrained by a publisher's desire to address as broad an audience as possible. I would not be surprised to see this book greatly expanded in a second edition, which I look forward to reading.
Rating:
Summary: A bedrock for serious Security Profesisonals
Review: I bought this book a few weeks ago while searching through the IT books section. Being in the IT Security field for over 7 years and remembering some of my earlier days, I decided to buy it. Overall I liked how Ms. Harris broke out the ethics and laws. Most of us in the field know there are laws, but never take the time to sit down and absorb them. The coding stuff was the best and more up my alley. I've seen too many security professionals who don't know how to code and coding IS THE MOST IMPORTANT SKILL YOU CAN LEARN. This book cleanly broke down C, Assembley, and some sample exploits really well. I was able to brush up on my Assembley and learn some cool tools in the process. If you've read Hacking Exposed and want some more fundamental information, read this book. You'll really like it.
Rating:
Summary: Well-written with good references but not a panacea
Review: The title might be a bit misleading since the terms "gray hat hacking" and "ethical hackers" don't really belong together (except perhaps with the words "is not done by" between them). Make no mistake this is a well-written book by industry experts for ethical hackers, not gray hats.
The book begins with the expected introductions and overviews but also includes a lot of useful information on the ethical and legal aspects of hacking, not really present in any other books. Next it goes into the differences between vulnerability assessment, penetration testing, and red teaming--explanations commonly found in other books but this one does the best job I've seen so far differentiating between them. It gives a bit of useful info for those looking to do such things within their own company or as their own company too.
The next major section is a primer on several hacking tools like Ethereal and nmap, but also covers some commercial applications like Impact and Canvas in some depth. Throughout it does a good job of conveying enthusiasm for hacking, and when an author truly enjoys the subject, the book is bound to be better for it.
The next section serves as a primer on Python (appropriate for the context of the book), sufficient for those already familiar with a language such as Perl or Tcl. It goes more in-depth on compiled language features and memory management, however, in preparation for upcoming content.
The last half of the book is on topics such as shell code and disassembly. Personally I feel too much time is devoted to the subjects covered here, since realistically most readers are more likely to be penetration testers running exploits and not researching undiscovered buffer overflow vulnerabilities--plus these topics are covered in other books such as The Shellcoder's Handbook.
This book is not so much a "how to hack" or even a "how to defend" reference; the book actually describes itself as a "next generation hacking book" and I believe it's accurate--it's not a complete guide or reference and the authors admit it. It gives you just enough info for a foundation whether you're on the attack or defend side of the fence and LOTS of references, both express and implied, to get you started learning more on your own. If you're looking for novice advice like "use a personal firewall" you won't find it here.
If you intend to do the more esoteric, or academic, research into vulnerability discovery and are technical enough to put the shellcoding section to use, this book is for you. If you don't need all the technical detail on shellcoding, disassembly, etc., you're still likely to find value in the first half of the book and perhaps the last chapter or two. I highly recommend it just for the overviews of laws, types of testing, methodology, tools, and references to more info. If you like assembly language the rest is a bonus.
Rating:
Summary: best intro to vulnerability discovery
Review: This book is designed as a beyond Hacking Exposed type book. It certainly lives up to that by concentrating on more fundamental knowledge. Among it's strong points, this book is the most solid introduction to vulnerability discovery techniques I have seen. Another point to this books credit is that I was unable to find any errors in the examples I ran (about half)
The authors start out with a 4 chapters that discuss things like... what pen-testing is, ethics, legal issues. Some of the more useful discussions in this section include legal issues, and reporting vulnerabilities to vendors. Some of the less useful discussions include the difference between gray, white, and black hats. Omitted was discussion the true old schoool meaning of 'hacker.' The first 4 chapters rate three stars.
Chapters 5 and 6 discuss some cool tools including: p0f, amap, ettercap, xprobe2, metasploit, CANVAS, and IMACT. Enough information is included to get you going on each one. Also the underlying principles are discussed. Good chapters. Chapters 5 and 6 rate four stars.
Chapters 7 through 11 discuss: Programming, Linux Exploits, Shell Code, and Windows Exploits. The "Programming Survival Skills" chapter is a little light, but that can only be expected. These chapters are very well done, and this is the best section of the book. The explanations are very clear and concise. I tried many of the examples in these chapters, and they worked flawlessly. The authors attention to detail will make these chapters very valuable to those learning vulnerability research and discovery. The material here provides a solid foundation. Chapters 7 through 11 rate a strong five stars.
Chapters 12 through 15 discuss reverse engineering, writing exploits, and patching the holes. Tools discuss include valgrind, sharefuzz, SPIKE, IDA Pro, RATS, its4, debuggers, and more. This is a nice introduction to reverse engineering. It's enough to get you going, but it's not quite as deep as many will probably want. The discussions here are well done. Chapters 12 through 15 rate a weak five stars.
Overall, I rated this book a strong four stars. I would have loved to give it five stars if the first few chapters were better. I wouldn't mind seeing them removed and replaced with expanded technical content in any future editions. Based on the strengh of the remainder of this book, it's hard to imagine a better introduction to advanced vulnerability discovery techniques. I wish I had this a few years ago!
Rating: 
Summary: The Real Scoop, Not for Beginners.
Review: This is a book on how to hack into computer systems to teach you more about how to protect yourself from hackers. This is a lot like the military uses schools like Top Gun to teach warriors how the expected opposition fights.
Hacks into systems are generally based on bugs in the code. Generally accepted guidelines say that there are 5 to 50 bugs per thousand lines of code. Windows XP has approximately 40 million lines of code -- That says somewhere between 200,000 and 2,000,000 bugs in XP alone.
This book will teach you what hackers are doing, the legal aspects, the damage done and most important how to avoid your own systems getting maliciously hacked. It is not intended for the beginner - when you're reverse engineering binary files or investigating what's happening with the stack your're pretty deep into what's happening in the system.
This is the most complete, most detailed book I've seen on hacking.
<< 1 >>
|
|
|
|
