Chained Exploits: Advanced Hacking Attacks from Start to Finish
by A. Whitaker, K. Evans and J. Voth

Addison-Wesley 2009.
ISBN 13-978-0-321-49881-6. USD 31.49

Reviewed by  Richard Austin   May 29, 2009 

With books on how to "hack" practically everything from your favorite operating system to the kitchen toaster, one might legitimately wonder what could be done to set a new book apart from this crowded flock? Whitaker and his colleagues have managed to carve out their own niche by taking a comprehensive look at how penetrating an organization's defenses often requires that several exploits be applied in sequence (or a chain) to actually achieve the objective.

In a refreshing counter to the "technology tunnel-vision" that afflicts many of us (i.e., if it's not a technical vulnerability then it's nothing to worry about), the authors' scenarios include defects in process and implementation as well as good, old-fashioned social engineering in the attacker's bag of tricks.

The book is organized around the activities of a fictional hacker named "Phoenix" whose exploits are motivated by the usual causes such as greed or revenge for some slight. Some of the tasks are assigned by a shadowy criminal organization that "recruited" Phoenix after becoming aware of his activities. This organization doesn't hesitate to remind him that while the pay is good, they also know where he and his significant other live and their safety is contingent on his continued successful performance. This provides an important reminder that cybercime is no longer a playground for the technological elite but rather a thriving business venture where lavish profits reward successful operations. Each of the eight chapters of this short book (279 pages) opens with an initial scenario that describes the assignment. Phoenix then has to conduct reconnaissance and develop a plan of attack to accomplish his objective. Sometimes an attack is foiled by a countermeasure and he has to circle back around to find a new avenue for that phase of his assault. The chapter concludes with a countermeasures section that discusses the defenses that would have foiled the successful chain of attacks.

The scenarios are very realistic and range from the staples of stealing credit cards and industrial espionage to more exotic goals such as destroying a politician's career through compromising a social networking site.

This is a book that needed to be written and the authors, themselves penetration testers by profession, have done an admirable job of graphically illustrating how successful penetrations are often not the result of a single flaw or attack but the result of a carefully crafted chain of actions that worm their way around and though the successive layers of our defenses. I suspect many readers, like myself, will experience several "Oh fudge!" moments and dash off copious notes that will guide new hardening efforts in their organization for some time to come.

Before beginning life as an itinerant university instructor and cybersecurity consultant, Richard Austin was the storage network security architect for a Fortune 25 company. He welcomes your thoughts and comments at rausti19 at Kennesaw dot edu