It is fair to say that most of the current strategies for network defense are passive, in that they involve setting up elaborate security shields to thwart or redirect intruders. The reason for this no doubt is that network administrators and IT departments do not want to face the legal consequences if they do as the authors of this book advocate, namely launching an attack on an intruder (human or otherwise) that will effectively disable it or at least frustrate it to a large degree. Interestingly though, the legal framework surrounding "aggressive" network self-defense is far from being clear. It would seem that existing laws on the books dealing with harassment and public nuisance would in fact support a large degree of "strike-back" network defense. The authors of this book seem to agree on this legal right, but the initial discussions in the book do illustrate the severe consequences that could arise if a security administrator were to take up the strike-back philosophy.
The weapons of aggressive self-defense include the PDA, which is discussed in the first chapter of the book, and which are described as being "easy to infect" by the author of the chapter. After bragging how he was able to compromise other people's PDA via the exchange of games, he discovered that his own PDA had been compromised by a key logger. He then describes how he found out exactly how he was infected, called naturally "computer forensics." To carry out the `reverse engineering' requires a debugger, a disassembler, and a hex editor. His discussion will be fascinating reading, especially those readers (such as this reviewer) who are not committed hackers or security specialists, but who need a good understanding of the issues in order to attempt to emulate them in more sophisticated, distributed computing environments. To get down to the assembly language after possibly many years of high-level programming is intoxicating to say the least. The author's analysis leads him to the conclusion that a backdoor FTP server running on port 69 (instead of the usual port 21). His plan was then to find out who installed the FTP server and then launch a reverse attack. The attack consisted of two phases, with the first one preventing the attacker from having access to his information and trick the attacker into downloading a file of his choice. The manner in which the author communicates convinces the reader that he knows what he is talking about. In order to know for sure one would have to go through the attack procedures as he organizes them. Unfortunately he author lost his job over his escapades, when instead he should have been rewarded for his ingenuity and skill. He was acting properly in taking action against an attack originally targeted to his machine.
The next chapter discusses an attack scenario in a common place these days: the cybercafe. The goal of the chapter is convince the reader to be wary of wireless hotspots that can easily be compromised. The author describes a scenario that actually began with criminal intent, and occurring in a WLAN environment, consisted of tricking users into logging into a person's own laptop. The author describes in detail what this person had to create and install on his laptop in order to pull off this deception, becoming the notorious "man-in-the-middle." He did this in order to obtain the credit card numbers of the customers who unwittingly logged into his machine instead of the correct access point. His scam was discovered and he was rightly arrested after he had run up over $10,000 in charges. But interestingly, his man-in-the-middle scam was detected by the WLAN administrator, and when this individual took it on himself to perform the investigation he attacked the scammer's machine and in the process broke some many laws that the evidence he collected was ruled inadmissible. The credit card companies sued the administrator since he nullified the federal case against the original scammer. Even though he won the case against him, his culpability is a grey area for sure, and this case reflects some of the ambiguities in digital law at the present time (both criminal and civil).
There are many more attack scenarios discussed in the book, all of which serve as tutorials in the many different tools that are have been exploited by both invaders and attackers. These include cache snooping, port knocking, TCPDump, Knoppix STD, Ethereal, Squid, honeypots, Sudo, cookie tracking, Trojan horses, keyloggers, Netcat, Nmap, PatriotBox, Traceroute, ping sweeping, IPSec rule injection, MD5 hashing, Stripwire, passive strike-back, and mass vulnerability scans. There is ample material here to educate oneself on how attacks can be accomplished and how therefore to defend systems against them. By far the most interesting part of the book though is the second one, since it goes into more of the conceptual background behind what the authors call `active defense.' They define this as an "action sequence performed between the time an attack is detected and the time it is known to be finished, in an automated or non-automated fashion, to mitigate a threat against a particular asset." This definition is one that is used in their model of network defense, which they call ADAM (Active Defense Algorithm and Model). The different steps to be taken, and the legal and ethical ramifications of ADAM are discussed in great detail. An interesting part of this discussion concerns the `scoring chart' that is used to compare the risk of a materializing threat with the risk of an active defense action. In addition, the calculation of risk is interesting in that it is similar to what is done in some areas of financial engineering.
- Paperback: 383 pages
- Publisher: Syngress Publishing (12 April 2005)
- Language: English
- ISBN-10: 1931836205
- ISBN-13: 978-1931836203
- Product Dimensions: 17.9 x 2.5 x 23.8 cm
- Boxed-product Weight: 590 g
- Average Customer Review: Be the first to review this item
- Amazon Bestsellers Rank: 195,049 in Books (See Top 100 in Books)