From: secedu@all.net Reply-to: secedu@all.net Organization: Information Security Educators Mailing List Subject: Information Security Educators Mailing List 1999-02-10 
---------------------------------------------
From: "Rob Slade, doting grandpa of Ryan and Trevor" 
Organization: Vancouver Institute for Research into User
Date: Wed, 10 Feb 1999 12:19:41 -0800

BKFICMCR.RVW   981106

"Fighting Computer Crime", Donn B. Parker, 1998, 0-471-16378-3,
U$34.99/C$49.50
%A   Donn B. Parker dparker@sric.sri.com
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   1998
%G   0-471-16378-3
%I   John Wiley & Sons, Inc.
%O   U$34.99/C$49.50 416-236-4433 fax: 416-236-4448 rlangloi@wiley.com
%P   512 p.
%T   "Fighting Computer Crime: A New Framework for Protecting
      Information"

Parker feels that too much of the data security field concentrates on
technical answers to the problems of reliability, integrity, and
availability of data, and doesn't pay sufficient attention to those
people who are deliberately out to read, steal, or ruin your
information and systems.  Personally, I find it rather ironic that he
defines "crimoids," in chapter one, as minor events promoted to much
higher significance by the media, and public misperceptions.  In the
non-specialist realm, more people spend more time worrying about
"hackers" than ever back up their drives.  (I am reminded of a friend;
an intelligent and educated person who started his career programming
large and sophisticated information systems and who has now risen to
the executive ranks; who has for years refused to get a modem for his
home computer.  In spite of his frequently expressed desire for access
to the Internet, and my repeated assurances that with his current
computer and operating system there is no hidden danger, he remains
convinced that the mere attachment of a modem to his machine will
allow someone to break into his computer and damage it.)

Who, then, is this book written for?  The author does not say, but
what he does say in the preface seems to indicate that he is not
writing for those whose business cards make reference to security.  (I
have neither argument nor inclination to dispute Parker's assertion
that security "professionals" do not really deserve the designation.) 
But if this text is aimed at the general public, chapter one's
emphasis on the dangers and lack of protection would seem more
inclined to incite further panic, rather than a realistic and measured
response.

Chapter two is an interesting and useful examination of an often
unasked question in the field: what is the nature of the information
we are supposedly securing?  There are valuable side points, such as
both the danger and the opportunity in the security arena presented by
the Year 2000 problem.  At the same time, I have to note that an
erroneous description of the Cascade virus is an example of Parker's
asserting points that are just beyond the available facts, and, for me
anyway, has an unfortunate effect on the trustworthiness of the work
as a whole.  The review of cybercrime, in chapter three, has more
reference to journalism and other forms of fiction than to reality,
but I have to agree with everything said there.  Computer misuse and
abuse is discussed in chapter four.  (As if to make up for chapter
two, the section on viruses is very good.)  Network misuse is covered
in chapter five, and although I still have trouble believing in the
reality of salami attacks (Parker's sole example is said to have
resulted in a conviction, but no citation is given) I am a bit more
willing to accept his broader definition.  Chapter six is extremely
strong in portraying a realistic and broadly based analysis of
characteristics of computer criminals.  A similarly informed and
balanced approach distinguishes chapter seven, regarding hacker
culture, but there is also a universally condemnatory tone that is not
wholly justified by the facts as presented.  Chapter eight is a very
helpful first step for those wanting to deal in the art of computer
security.

Chapter nine reviews the deficiencies in most current security
practices, noting overprotection in some areas while ignoring
loopholes in others, and a flowery jargon that serves mostly to hide
the fact that security people just don't feel very comfortable with
what is going on.  However, Parker's new model of security, in chapter
ten, while it is very clear and useful, does not extend recent work
in, say, electronic commerce.  On the one hand, this congruence does
support the model, but on the other, one can't really say it is too
novel.  The popular, but demonstrably incomplete, risk assessment
study is de-emphasized in favour of a more difficult, but more
realistic, baseline security standard in chapter eleven.  Details on
how to conduct such a study are very helpfully given in chapter
twelve, although the benchmark chart is going to be much harder to
come by than is made clear in the text.  Chapter thirteen provides a
practical and useful set of criteria for determining control
objectives.  A number of security tactics are detailed in chapter
fourteen.  Chapter fifteen takes the larger strategic view.  (I was
delighted to see the inclusion of a section on corporate ethics in
this chapter.  Recently I contracted to produce a security document
for an educational institution, and was told to take the section on
ethics out.)  Management of security, in chapter sixteen, includes
provisions for training, policy, and other factors.  Chapter seventeen
finishes off with a look to the future.  The material, while thought-
provoking, is possibly more likely to generate arguments than
solutions.

Parker's stance on security in general definitely puts him in the camp
of the professional paranoids.  However, absent the first and last
chapters, there is a lot of good, solid knowledge here to help educate
any security practitioner.  The material in the second half of the
book is just as valuable to the security process as the more technical
works such as "Practical UNIX and Internet Security" (cf.
BKPRUISC.RVW) by Spafford and Garfinkel, albeit in quite a different
way.  An informed security policy is every bit as important as a good
set of "access" controls.

copyright Robert M. Slade, 1998   BKFICMCR.RVW   981106

======================
rslade@vcn.bc.ca  rslade@sprint.ca  robertslade@usa.net  p1@canada.com
Find virus, book info http://victoria.tc.ca/techrev/rms.htm
        Mirrored at http://sun.soci.niu.edu/~rslade/rms.htm
        Linked to bookstore at http://www97.pair.com/robslade/
Robert Slade's Guide to Computer Viruses, 0-387-94663-2 (800-SPRINGER)
---------------------------------------------
Date: Tue, 9 Feb 1999 15:13:28 -0700
From: cult hero 

0849381584.rev   990131

"Investigating Computer Crime", Clark/Diliberto, 1996, 0-8493-8158-4,
U$49.95
%A   Franklin Clark, Ken Diliberto
%C   2000 Corporate Blvd, N.W., Boca Raton, FL 33431
%D   1996
%E   n/a
%G   0-8493-8158-4
%I   CRC Press, INC
%O   U$49.95 
%P   228 p.
%T   "Investigating Computer Crime"

Chapter 1 - "Computer Search Warrant Team": Chapter one starts out 
quick and to the point. In this three page chapter, the authors outline
six groups that make up a computer search warrant team. Supervisor,
Interview Team, Sketch/Photo team, Physical search team, security/arrest,
and technical evidence seizure team.

Chapter 2 - "Comptuer-Related Evidence": A detailed list of types of 
evidence that can be found at a subject's location. The chapter lists
types of evidence, shows where it might be found, gives examples,
as well as includes pictures. Unfortunately, the common stereotyping of
hackers begins here which may distract the reader from the facts.

Chapter 3 - "Investigative Tool Box": Every investigative team shuold carry a
toolkit to effectively perform their duties. The advice and recommendations in
this chapter seem to focus on MSDOS and Win 3.1 systems. Programs and software
tend to be Windows based commercial programs. Little mention is made of OS/2,
UNIX, or more obscure OSs.

Chapter 4 - "Crime Scene Investigation": Each investigation must go through
certain steps to be effectively completed. Starting with scene evaluation and
ending with "completing the search". This chapter goes stey by step through the
required process.

Chapter 5 - "Making a Boot Disk": Once again, this chapter seems to focus on
MSDOS based systems. Those investigating Unix or NT systems will not benefit
from the information here. Since a majority of systems are now 95, NT, or Unix,
this chapter could stand for a second version.

Chapter 6 - "Simple Overview of Seizing a Computer": Chapter six is nothing more
than a three page checklist overview of the steps in seizing a computer.
Unfortunately, it doesn't go into much detail or prepare the reader for uncommon
occurances.

Chapter 7 - "Evidence Evaluation and Analysis": Once the material has been
collected from the subject computer, the long process of examining the files
begins. Covering the different types of files like spreadsheets, databases, or
graphics, this chapter focuses on DOS or Win based comptuers.

Chapter 8 - "Investigating Floppies": Much like the previous chapter, this one
applies to any floppy disks seized in a warrant.

Chapter 9 - "Common File Extensions": A three page list of common file
extensions. Aside from the duplicate entries (like 'gif'), there is a noticeable
lack of other extremely common extensions like 'tar', 'gz', or 'arj'.

Chapter 10 - "Passwords and Encryption": While covering passwords and elements
of good password security, the chapter falls very short on practical encryption.
Someone new to investigating comptuer crime is likely to walk away thinking that
encryption will not be a big hurdle when encountered. Rather than cover more on
PGP, CFS, or SFS, the chapter goes into BBS passwords, Quicken, Word Perfect,
and similar programs.

Chapter 11 - "Investigating Bulletin Boards": The obvious base of the author's
experience, this chapter goes into details on BBSs, their operation, finding
them, and more. Along with some information on elements of a BBS, suggestions
are made for the L.E. officer poking around new BBSs. Guidelines for
investigators trying to infiltrate a BBS are given, but the concept of fitting
in seems to fall short.

Chapter 12 - "'Elite' Acronyms": The mere existance of this chapter along with
the short list suggest the authors don't fully graps the depth of the
'underground' scene. While listing some obscure groups I have personally never
heard of, they leave off well known and overly used acronyms often used among
the scene.

Chapter 13 - "Networks": Perhaps one of the more concise chapters, this section
gives a good summary of networks, network devices, and network operating
systems. Understanding networks is the key to properly investigating.

Chapter 14 - "Ideal Investigative Computer Systems": Though written in 1996, the
recommend systems for investigators as outlined seems appropriately detailed.
However, while the outline does provide a decent foundation for new
investigators to work from, it seems rather short-sighted.

Chapter 15 - "Court Procedures": Often one of the more elusive and more
misunderstood components of a comptuer crime investigation, the court procedures
are often the most critical. This chapter touches on expert witnesses, pretrial
preperation, terminology, and more.

Chapter 16 - "Search Warrants": By citing case law and specific examples the
authors have encountered, the a good coverage of details on types and
differences of various search warrants is presented. Included in the chapter are
sample warrants from previous cases to give the reader a solid idea of what they
encompass.

Overview: For someone new to investigating computer crime, this is the ideal
book for you. Not only does it cover most aspects of an investigation, it does
so by providing examples and pictures for re-enforcement. To the experienced
investigator, the book may fill in a few small gaps or bring to light a new
element previously overlooked. Lastly, to anyone working on cases involving unix
or the internet, this book is not for you.
---------------------------------------------
Date: Tue, 9 Feb 1999 15:14:06 -0700
From: cult hero 

0936653744.rev  990119

"Cyber Crime, How to Protect Yourself from Computer Criminals", 
Laura E. Quarantiello, 0-936653-74-4, U$16.95
%A   Laura E. Quarantiello
%C   P.O. Box 493, Lake Geneva, WI 53147
%D   1996
%E   n/a
%G   0-936653-74-4
%I   Tiare Publications/Limelight Books
%O   U$16.95
%P   141 p.
%T   "Cyber Crime, How to Protect Yourself from Computer Criminals"

Part One: 

Chapter One - 'Terrorism On Line: Inside Comptuer Crime': Chapter one
opens with defining computer crime, and does a decent (and fair)
job of defining why hackers hack. "In the end, it all comes down to
one of those six reasons."

Chapter Two - 'Computer Criminals and their Crimes: Digital Outlaws':
Starting out with 'phreaking', the author gives a brief history of
hackers and the phone systems. Unfortunately, a serious lack of research
shines through in this chapter, where a list of "phreaker boxes" is
quoted. It has been well established that a majority of these boxes
never worked, and were litle more than wishful thinking by hackers
with little knowledge of the phone system. The rest of the chapter 
delves into different aspects of hacking and how hackers evolved.

Chapter Three - 'Cyber-Sneezes: Viruses': As with most computer security
books, this is the token chapter on computer Viruses. 

Chapter Four - 'The Darkest Side to Computer Crime: Threats to Your 
Personal Safety and Property': Chapter four begins by giving contrast
between crime and virtual crime. One admirable feature is the clarification
that not all online pedestrians will be mugged by cybercriminals. 
Unfortunately, a good portion of the chapter deals with 'stalking',
pornography, and child pornography, which seems out of place in contrast 
with other sections.

Part Two:

Chapter Five - 'Cyber Security: Foiling Computer Criminals and Staying
Safe': This chapter suffers the problem of trying to squeeze too much
information into a small place. Writing about how to secure your systems
should take books. Starting out with the idea of 'weak links', they
abruptly end after two and move into other non-numbered categories. While
a decent effort, it brings its failure upon itself by trying.

Chapter Six - 'Cyber-Cops: Walking the Digital Beat': Much to the dismay
of law enforcement, this chapter paints a relatively accurate picture
of the state of comptuer crime and law enforcement's ability to
deal with it. (Considering when the book was written). Toward the end of
the section, contact info for CERT and the advice to call the FBI
is given. The exact organizations the author found lacking.

Overview: For a 100 page, 1 hour read, this book does a better than
average job of portraying computer crime. Despite the handful of 
errors, the author gives a fair overview of computer crime, hackers,
and law enforcement.

review: jericho@dimensional.com
---------------------------------------------
Date: Tue, 9 Feb 1999 15:14:22 -0700
From: cult hero 

0929408217.rev	0898

"The Happy Hacker: A Guide to (Mostly) Harmless Computer Hacking",
Carolyn P. Meinel, 0-929408-21-7, U$29.99
%A  Carolyn Meinel cmeinel@techbroker.com
%C  POBox 1507, Show Low, AZ   85901
%D  1998
%G  0-929408-21-7
%I  American Eagle Publications, Inc
%O  U$29.99
%P  268
%T  "The Happy Hacker: A Guide to (Mostly) Harmless Computer Hacking"

Technical Editors: John D. Robinson, Roger A. Prata, Daniel Gilkerson
                   Damian bates, Mark Schmitz, Troy Larsen


My first impression of the book was a make money fast scheme gone wrong. 
Cashing in on the buzzword of the 90's, Ms. Meinel runs the word 'hacker'
into the ground by the end of chapter 1. 

Looking past the glaring errors in grammar and spelling, the reader must
deal with the constant technical errors, contradictions, and overall
lacking 'style' the author uses. The book consists of material that has
mostly been published on the web in various states (also technically
incorrect), and brings no new insight to the subject she claims to teach.

As far as teaching 'hacking', I couldn't find a single quality reference
or section that dealt with hacking. Considering the questionable past of
the author, the book furthers thoughts that she has no experience as a
hacker, security consultant, or anything related to computers at all.

What most people consider novelty 'tricks' like changing a Win95 bootup
screen, Ms Meinel touts as 'hacking'. The continued reference to Windows
95 and lack of unix information further suggests the book isn't about
hacking at all, rather simple tricks and documented options that can be
found in most Windows books. 

For those interested in learning hacking, stick to more positive sources. 
Check out some other security books or online resources. Hacking is not
something that can be taught from a book, it is more a state of mind and
desire to learn. After reading this book, users can expect to find
themselves in a confused state with more questions than they started with. 
Unfortunately, they find themselves with no more insight on where the
answers may be found either.

Page 67: "I make my living asking dumb questions." Quoted material is
straight from the author's mouth, and seems to be dead on with the
technical level of the book.

review by: jericho@dimensional.com			copyright 1998
---------------------------------------------