Slashdot Mirror
Hacker's Challenge 2
What It Covers
The scenarios in the book cover a wide range of current attacks. There are a few scenarios involving wireless access that each manage to point out a different facet of wireless security. Also, the book includes a few examples of network penetrations, a man in the middle attack, a bit of forensic analysis and the highly popular (in the media at least) "insider attack." One chapter focuses on exploit development using a simple stack overflow, which is a nice diversion.
The book's format is identical to that of the previous volume. Each challenge is rated Low, Medium, or High for Attack Complexity, Prevention and Mitigation. An account of each problem is presented (organized by date and time), often from the point of view of the person charged with figuring out what is happening or has happened. Logs are presented as they are requested by the investigator; the authors do a great job of following the thought processes and actions of the people responding to the incident as they discover each clue and take their steps forward.
At the end of each scenario description, there are a number of questions that generally help focus the reader's attention on the relevant parts of the scenario. After the reader comes up with some likely answers, he can turn to the back of the book where the solutions are found. Each solution is broken down into an explanation of the attack, how the attack could have been prevented, and steps to take to mitigate the effects of the attack after it has occurred.
The explanation highlights the clues that were presented, how they could have been used to solve the challenge, and the right (or wrong) steps the investigator took and why. Links to additional information and references are provided at the end of each solution.
The AuthorsHacker's Challenge 2 is written by Mike Schiffman (@stake), Bill Pennington (WhiteHatSec), Adam J. O'Donnell (working towards PhD at Drexel), and David Pollino (@stake). From the material presented, if not from their reputations and contributions to the computer security field (some of them under other names), the authors are obviously very familiar with analyzing and responding to security incidents. All of them contributed to the previous volume in the series. The book does not identify who wrote each chapter, unlike the first volume.
Why I Gave This Book A 9 I have read the previous volume in the series. I liked this volume a lot more, and while I was reading it, I tried to work out why. One of the possibilities I came up with is that they trimmed the number of authors from somewhere around ten, as they had used for the previous volume. The consistency of the writing and scenarios is greatly improved. The scenarios in this book are also much more interesting to me than in the previous book. It feels much more current than the previous volume. (I still recommend the previous volume, however, if you haven't been following possible attacks and countermeasures for a while. - I'd say I'd give it a 7.)From the first chapter which opens with a still under-publicized layer-2 802.11 attack, it grabbed my attention. This is a great book for seeing not just what attacks are out there, but what attacks people in the security industry think are likely in the real world.
Like the previous volume, there doesn't appear to be much vendor bias in this book, which is always a welcome sight to me. Also, although the authors work in the security industry, they stay away from promoting themselves or their companies. (They do include links to some documents on company web sites, but they are technical documents, not marketing fluff.)
This volume is also packed with humor, although perhaps not everyone will appreciate or catch all of the jokes. My favorite quote in the book is from the chapter where "d4rkl0rd", a young novice hax0r who only speaks in l33t speak, is at the dinner table : "n0 m0m, 3y3 h4t3 gr33n b34ns, dUh!"
Conclusion I definitely recommend Hacker's Challenge 2 to anyone interested in, or responsible for, computer security. Even if you are very familiar with the subject, it's worthwhile to look over the attacks and solutions presented, and to compare the suggested response with the one you would use if presented with a similar scenario. The book is worth picking up even if you have read the previous volume, as it is of even higher quality, and covers, for the most part, completely different attacks. The format is easy to read and the real-world problem scenarios presented are interesting enough to keep you reading. The solutions are well presented and thorough, covering not just what happened in the attack and how to put the course of events together from the clues, but also ways to prevent and mitigate the attacks. Highly recommended. You can purchase Hacker's Challenge 2 from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
... a low hug!
Bone-O-Rama.
Mad Libs for hackers...
Neck_of_the_Woods
#/usr/local/surf/glassy/overhead
d00d, L1Nux r0xx0rZ u NT w1nd0ze frum M$
Manipulate the moderator system! Mod someone as "overrated" today.
...when they can just hack Windows instead?
=)
My other sig is an import.
I proceed to insert my long bleeding dick inside her asshole and fork my penis up her tubes and fuck my goat and cut her beef with a slice of wheat bread.
i pour bleach on her vagina and set it on fire.
she loves it kinky...
Physical violence may be the greatest threat of them all; a gun pointed to someone's head may ruin any security system.
A Windows == insecure joke on slashdot!
Will the hilarity never end?
You're too funny!
Well, the idea of hacker challenges rings a bill to me, as *hacker challenges* was one of the main things that got me to be interested in computing more than ever before. That reminds me of the many online hacking/programing challenges I played before, some of them were really fun, examples include http://www.try2hack.nl http://www.arcanum.co.nz http://www.slyfx.co.uk http://www.mod-x.co.uk And many others, they might not be really hard or challenging enough to experts, but they get you will into the interest of computing and security (They have no aims of producing black hat hackers imo, all what they aim at is producing people interested in securing themselves and people around them). I'll be looking into getting this Hackers Challenge as it really sounds interesting :).
"What you 'seek' is what you get!"
Captain Crunch is gay!
Does it cover how to prevent these? Sure are a lot of them lately.
Everything you need to know about hacking:
1. If it's Linux you need to get into, just go out on the internet and look up how to do it.
2. If it's Windows, give up because its asshole isn't sitting out in the open for the whole world to look at and dissect.
Well, that's a lot better than Linux development which is a bunch of filthy hippies who smoke dope and eat week-old pizza while sitting on the sofa in their own filth. Get a job you stinking peices of shit, quit leeching off of society looking to me for handouts all the time. This isn't a free ride, software isn't free, people BUY and SELL things that's what makes this country what it is. Go hit the streets and look for a job once you get a marketable skill - here's a clue: it isn't Linux. People use Windows not some filthy OS that every slimeball with a modem has had their disgusting fingers in. Linux is the ultimate binary whore, every keeps sticking their diseased pecker in her, and the condom has been designed by and USED by everyone. Yup, I'm going to place the reliance of MY company on that awfull shit. Hit the streets and find a job, which should be easy for you because the streets are probably where you live working the corner with a cup in your hand "Feed me! Free software Freee lunch! I'm a lazy drop of piss who won't pay for anything.!" You make me sick with your open source and tree fucking and dog kissing. Kiss my ass. Add something to life, stop coasting through it you stupid cunts.
A slammer worm locks down your server. What do you do? ...
Answer: Take the week off.
"I only speak the truth"
Karma: null(Mostly affected by an unassigned variable)
http://service.bfast.com/bfast/click?bfmid=2181&so urceid=39391960&isbn=0072226307
;)
Slashdot is going to make some money...
Mike is a muscular X-Games wannabe and David Pollino is a fucking moron. I interviewed with these idiots at @stake and decided I'd rather not work with blackhats turned gray. Not to be a troll, but I can't believe that anyone takes these jackoffs seriously.
On a side note, a friend of mine had @stake come in and do some security tweaking and the guy from @stake cost him an extra two days work because he had misconfigured some part of his firewall. He has since switched to a different company.
Remind anyone else of an Encyclopedia Brown book?
"Gee Willikers, looks like Bugs is up to something again. What? He's hacking the Pentagon? No need to call the authorities - us kid detectives have it under control! What? He just launched nukes at Russia? Maybe i'll leave this one to the cops..."
Also check out Encyclopedia Brown and the case of the Pirated MP3s.
to take a shower! you stink
While I agree the Segway is definitely cool, and I'd stomp right out and buy one tomorrow were a fortune to hit me, it has some problems.
- Cost. $5000?!? Try closer to $1000-$1500. I can buy a cheap used car for $1500, buy gas and insurance for several years, and still be ahead compared to a segway.
- The weight and short range would not be a problem for what I imagine it being used for, but I think most people are holding out for the next generation of Segway which would be a quantum leap ahead in terms of range and weight due to a power source other than batteries. Why spend $5G now when a vastly better one is "just around the corner."
- Practicality. It's not going to replace a car, you'll still need a car to shop for a decent amount of groceries, get your kid from soccer practice, going on a date, get to work in the snow or rain, etc.
- Lack of facilities. Where do you park it? How do you secure it against theft (yes, there's a key but that won't stop idiot theif from tossing it in his car. He won't have a working segway, but neither will you. This is a MAJOR problem with motor scooters and why they are not very popular)? Will you be able to recharge it once you get to work or the mall 6 miles away (remember, 11-mile range)?
- Politics. Yes, they've done work getting the okay for a Segway to be used on sidewalks in many states. It's just a matter of time before some pinhead runs his around in a mall, mows someone important down on the sidewalk, causes a traffic jam by running it in the streets, or otherwise ruins it for everyone.
- Safety. Not a fault of the segway itself, but of the operator with regards to other traffic. The same problem motorcyclists have with people not seeing them, but far worse. Drivers aren't used to seeing people hover across a crosswalk without swinging their arms or legs.
Why I Gave This Book An 9
Because it would not be a
I want to drag this out as long as possible. Bring me my protractor.
"Why I Gave This Book An 9"
Timmy, timmy timmy, you made need to review the little blue english handbook....
Shoot the server. Take it out of the equation.
This "Speed" moment was brought to you by Mentos.
A book entitled "HACKER'S Challenge" ought to be a series of programming puzzles with clever, nonintuitive answers.
I suppose trying to get writers and the general public to distinguish between hacking and cracking is a lost cause, but we need to keep trying.
"How to Do Nothing," kids activities, back in print!
I have read through a few of the scenarios, and they are great. I haven't read the first in the series though, but I might go back and do that at some time. Having been Adam's roomate at Drexel a few years back, I can vouch for his very talented security analysis skills, so any work with his name on it gets my seal of approval right off the bat anyhow.
Oops, this is slashdot. Soryy about that.
sorta like a choose your own adventure book...
they should make one for adults... they would only have to actually write on half the pages... as they could assume everyone would just pick the selection that looked like it would lead to sex...
-You're wasting your time. Alfador only likes me.
What does N-I-N-N-L-E spell?
Ninnle! The best Linux distro ever!
Linus Torvalds himself has endorsed the kernal!
Now say it twelve times fast...
Ninnleninnleninnle...
BATMAN!
See how great Ninnle Linux can be?
Try Ninnle today!
I doubt Mike would remember me, but Mike got pissed off at me back around 1995 because I insulted one of his hacker buddies (They didn't like the fact that a few of us were storing warez on the "/hack2/tmp" directories there). Mike threatened to hax0r my Netcom account.
That always stewed me for years but I finally got my revenge on him when I visited Cesar Gracie's BJJ school a couple years or so ago and rolled with him. He was tapping like an experienced congo player.
What comes around goes around Mike.
is just getting up in the morning. I was hacking so bad this morning, I thought I was gonna die. Smoking more - enjoying it less.
I can't believe my mom recorded that conversation!
This is so embarassing...
/syle
If someone bought a copy of this book with a stolen credit card and sent it to the company that was responsbile for the "supposedly" 8 million card numbers that were stolen?
those were the days...
I thought it was the reverse: challenges for systems to hack into.
After that, I thought, maybe it's real 'hacks', as in what the Jargon File would define 'hack' as.
Speaking of which...I tried to provide a link to www.tuxedo.org and got redirected to various sites. What's up with ESR's site?
just try eating an entire box of Whoppers.
d00dz!
c4n $Um1 pLz p0st a PDF of thz $0 I c4n dl !T?
This
Here on Slashdot, I would expect nothing more.
This book looks interesting. However, I am not very familiar with computer security. Is this the type of book that a computer geek with basic linux knowledge and harddware knowledge can pick up easy?
What comes around goes around Mike.
Yeah you fucking fuck.
Mad Hacker: "Pop quiz, hotshot! Hacker just started compiling and executing a killer virus on his machine! You can either save the internet or capture the bad guy. What do you do?"
Keanu Reeves: "Shoot the boxen."
Mad Hacker: "But it's got a bullet-proof cover over it with a keyboard entry system...and YOU DON'T KNOW THE PASSWORD"
Keanu Reeves: "I'm already in!"
Mad Hacker: "But how?!"
Keanu Reeves: "The three most commonly used passwords: love, secret, and sex...not necessarily in that order"
Mad Hacker: "But it's not any of those"
Keanu Reeves: "Don't forget about 'God'. System operators love using 'god'."
Ok...maybe I went a bit overboard with it...
I was first intrigued by case studies when I read hacking linux exposde, which has excellent real-world case studies. Turn them on their heads and they are useful as challenges too. Since HLE was based on Hacking Exposed I thought I'd get it for those case studies, but they are lame 1-2 page things.
You can get the case studies for HEL online now, which is cool.
Does anyone else have good case studies / challenge pointers that are available online?
a bit overboard
The feces shooting out of my trousers will testify to that fact.
So true... in fact the other day I was trying (with no luck) to find a book of problems and puzzles for programmers. Ideally nothing language specific, more focused on clever algorithms... a fairly concise problem statement (say a page or less) and answerers that are self checking (i.e. if you got the answer... you did it right). With puzzle complexity being something that would take a day to a week to solve and really push creative thinking... if anybody knows of one... please let us know... if not... maybe I should start writing. ;)
Have you thought for yourself today?
Robert Redford was in the movie Sneakers, not Hackers. *end movie troll*
Ahhh... #r00t days
486578
While we're on the subject, somebody please inform Kevin Mitnick that he was a cracker, not a hacker as he kept referring to in his interview.
The term 'cracker' only came into use as a result of political correctness... the good hackers didn't like their name tarnished by the bad hackers, so they assigned the term 'cracker' to these people.
So one who breaks into systems is also known as a hacker. Your sense of political correctness prevents you from using that term. To you, one who breaks into Coke vending machines would be a soda cracker.
It's a martian with a phaser-gun!, shouted Bugs, He's going to turn you into an ice-cream pie!
I can also remember Bugs Meaney's "2) ???" was "Trying to figure out why the stomach doesn't digest itself."
What was the girls name? Sally? She had Spunk.
One god, one market, one truth, one consumer.
Why do people even on slashdot not get it right????
decompileing that java script file on lvl 4 was bad, now i just cant wait to move on to 5.. hehe :|
... if the hacker is the security challenge. Organisations may spend as much as they like on security, but it's no good if the one entrusted to protect the chickenhouse is the fox.
True,
sorry, was a typo.
"What you 'seek' is what you get!"
Great book. I also found a monthly forensic challenge contest here.