Counter Hack. A Step-by-Step Guide to Computer Attacks and Effective Defenses
by Ed Skoudis
Prentice Hall PTR 2002
564 pages. Index, glossary. ISBN 0-13-033273-9 $49.99

Reviewed by  Robert Bruen   July 15, 2002 

There are a lot of hacking books available today, so for a new one to get any attention it has to have something to offer that goes beyond the existing books. There are only a few things possible, such as a greatly improved presentation of the material, or perhaps new material. Fortunately for authors and unfortunately for system administrators, there is always new material. The new material is often just attacks or resources, although attacks that are truly new and unique are few and far between. New resources for defenses are appearing more often, but these are generally organizations and memos, not real tools. The new and really good tools are as limited as the really good attacks. This leaves the book itself as the main reason to get attention.

Mr. Skoudis has written a book that is worth reading, even if you know about security. This is a technical approach to attacks and defenses, not for management which is looking for risk assessment and policy discussions. A book like this needs to cover certain topics, like TCP/IP, networks, ports, tools, etc, but additional material is important. One of the better features is a chapter describing attacks in story form with each step showing how and why a particular tool is used to achieve the objective. The errors made by the victim that would have prevented the success of the attacks are detailed as well in a manner that is more helpful than just saying "keep up with patches."

The newer material of interest concerns kernel-level rootkits. They have been around for a while, but there are not many good explanations in books, so this is useful information. As Linux becomes more popular in the back rooms, attacks become more of a concern. Of course, Linux has been popular as an attack platform for a while. Other Unix systems are in the back room already, such as Solaris - and yes, there similar rootkits for them. The main issue is the Loadable Kernel Module LKM, a very handy feature when managing systems, because kernel level code can be loaded on a running system without requiring a reboot. It means that each location can keep its kernel smaller by not loading things it does not need. This feature is just as handy for the attacker. When the attacker ratchets up the stakes, the defenders respond. There are some free and commercial products available that can help. You might want to consider eliminating LKM support, if possible (not all operating systems allow disabling of LKM). I think this is still up for discussion because the feature is useful. Microsoft email is a great target for virus writers, but we all know that email is not going away. The trick is to make sure that the features of email prevent the spread of the virus.

The quantity of knowledge, skill and expertise required of the security professional has reached the point where specialization is the only way to be successful. There seem to be less of the those who have broad and deep knowledge like Skoudis. One must have been around for a while to accumulate the expertise and then keep up with all the new stuff, including the proliferation of new technology. Each new operating system and variants of old ones opens up new opportunities for attackers. Operating systems tend to better security than applications, but as new features are introduced to make them more useful, more vulnerabilities are introduced right along side the usefulness. It is unfortunate that the technical demands of security reach down into the OS when we one also must be concerned that some secretary is using the name of a cat for a password. We can be grateful for authors like Skoudis to help keep us up to date.