Chained Exploits: Advanced Hacking Attacks from Start to Finish |
|
|
|
|
This book is also available, brand-new, from 3rd-party marketplace sellers at Amazon.com, from $19.95.
|
The HTML code below can be pasted onto your web-site, your MySpace page, or blog - or any number of similar places - to create a link to this page:
If, instead of a text link, you'd like to create a link to this page which will display the book cover, if it's available, then the code below will do exactly that:
Check for the same book at these other US book sites:
• [ Abebooks ]
• [ Alibris ]
• [ Barnes & Noble ]
• [ Half.com ]
• [ Powells ]
… or check UK bookstores
|
Editorial Review / Publisher's Information:
Product Description
The complete guide to today’s hard-to-defend chained attacks: performing them and preventing them  Nowadays, it’s rare for malicious hackers to rely on just one exploit or tool; instead, they use “chained” exploits that integrate multiple forms of attack to achieve their goals. Chained exploits are far more complex and far more difficult to defend. Few security or hacking books cover them well and most don’t cover them at all. Now there’s a book that brings together start-to-finish information about today’s most widespread chained exploits–both how to perform them and how to prevent them.  Chained Exploits demonstrates this advanced hacking attack technique through detailed examples that reflect real-world attack strategies, use today’s most common attack tools, and focus on actual high-value targets, including credit card and healthcare data. Relentlessly thorough and realistic, this book covers the full spectrum of attack avenues, from wireless networks to physical access and social engineering.  Writing for security, network, and other IT professionals, the authors take you through each attack, one step at a time, and then introduce today’s most effective countermeasures— both technical and human. Coverage includes: - Constructing convincing new phishing attacks
- Discovering which sites other Web users are visiting
- Wreaking havoc on IT security via wireless networks
- Disrupting competitors’ Web sites
- Performing–and preventing–corporate espionage
- Destroying secure files
- Gaining access to private healthcare records
- Attacking the viewers of social networking pages
- Creating entirely new exploits
- and more
 Andrew Whitaker, Director of Enterprise InfoSec and Networking for Training Camp, has been featured in The Wall Street Journal and BusinessWeek. He coauthored Penetration Testing and Network Defense. Andrew was a winner of EC Council’s Instructor of Excellence Award.  Keatron Evans is President and Chief Security Consultant of Blink Digital Security, LLC, a trainer for Training Camp, and winner of EC Council’s Instructor of Excellence Award.  Jack B. Voth specializes in penetration testing, vulnerability assessment, and perimeter security. He co-owns The Client Server, Inc., and teaches for Training Camp throughout the United States and abroad.  informit.com/aw Cover photograph © Corbis / Jupiter Images  $49.99 US $59.99 CANADA
|
Other Items You May Enjoy:
Browse Books From These Related Subjects:
Customer Reviews:
• Fun Read, Useful For Folks New To Security
07 August, 2009
As you might guess, I often read security books for fun, not for solving a particular technical problem. So I approached "Chained Exploits" by Andrew Whitaker, et al with that filter in mind. The book worked just fine for that purpose - it is well-written and has a story line, while covering enough technical details to be educational (for those who are reading it to learn about security and not just for fun). It covers the exploits of a malicious hacker "Phoenix" who fulfills the assignments of some underground criminal mastermind and sometimes just goes and 0wns somebody on his own. Obviously, the book does not cut it as "fiction" since it has actually commands, configuration, etc.
The book is not about a new cutting edge technique or an "oh-day", its main goal is to actually tie "that security stuff" together for folks who are not skilled with it yet. IMHO, IT folks getting into security will benefit from it the most. If you 0wn boxes for fun and profit, you will not learn anything fundamentally new about security, but likely will have fun in the process. Think about it as "Life-like Security Horror Stories" or realistic scenarios. Still, these are a bunch of good story of how mundane, "uncool" attacks tie together to achieve some rampant 0wnage, like having people at a hospital almost die as a result of one particular scenario...
Each story covers motivation and goals of the attach, planning stage, sometimes failed attempts (and why they fail), tool selection and some guidance on tool use. Then it explains what happens and finally covers countermeasures that could have stopped it.
The book bears unfortunate, but noticeable signs of being written by multiple people who didn't talk to each other much.
Finally, the name ("Chained Exploits") first turned me away from the book, I thought it was kinda silly; now I suspect that it will attract some folks to the book.
Recommendation: definitely worth a read if you are new to security, especially if moving from IT. Useful for students in computer science classes to get motivated about security. Also useful for technical management to learn what is not just possible, but very real. Finally, useful for security folks - as a fun read - and also as a reminder about things in their own (still their own, not 0wned...) environments.
- Amazon Customer Review
• A Multi-scenario Hacking Adventure Novel Focused On Combined Real-world Attacks.
11 October, 2009
The penetration testing (and criminal) field has focused during the last years on increasing the foothold on compromised systems, proving advanced pivoting and post-exploitation techniques that might help to expand the compromise to other systems or critical resources. This book is a novel that describes these reality by telling hacking stories where multiple techniques, tools and vulnerable input vectors are exploited in order to accomplish a variety of clearly defined attacks and goals.
Each chapter is a well structured story describing multiple attack scenarios. From credit card theft, to insider threat, going through corporate espionage focused on stealing confidential intellectual property, the launch of a DoS attack in a key point in time, the risk and exploitation of inter-corporation network connections, physical access to healthcare records, up to social networking and wireless break-ins.
The book is a modern fictional narrative with technical touches, covering attacks from start-to-finish in elaborated stories (my score evaluates the book from this perspective). However, by reading the book description, you might expect a deeply technical book that will teach you how to perform those attacks, and... it is not.
Every attack story is introduced by setting the stage and the overall attacker approach. Besides that, it is surrounded by a few final defensive tidbits and conclusions, describing countermeasures to mitigate the various attacks covered. This book may act as an excellent eye opener for managers and top level positions (see recommended audience below) in order to understand how small security investments and tweaks can definitely help to increase the overall protection of a target environment substantially.
Unfortunately, from a technical perspective, some of the technical details have not been thoroughly reviewed, such as the output of nmap (order of ports), the unexplained switching of target systems from Vista to XP, the targeting of RDP while not on the port scan (chapter 4) , or the coverage of some tools. Some attacks are a bit outdated, such as the silent winpcap installation to capture traffic from a target box. However, I must admit this book inspired some of the components of a recent "Prison Break" hacking challenge I released this summer (2009).
Specific portions of the book and, overall, the story plot, is well written from a novel perspective, and as particular attacks are progressing, it made me feel the common excitement we get when we are involved in a real penetration test and successfully progressing through the targets, getting the adrenalin going.
This book is highly recommended for people entering in the security field, and for experienced technical security pros in two ways. On the one hand, it's an enjoyable and entertaining novel for a weekend or vacation period. On the other hand, it is a very good reference to give to managers and CxO positions so that they can get a feeling of how real-world attacks look like nowadays and the kind of targeted threats they may face.
- Amazon Customer Review
• Each Attack Is Analyzed One Step At A Time
11 February, 2010
Andrew Whitaker, Keatron Evans and Jack B. Voth's CHAINED EXPLOITS: ADVANCED HACKING ATTACKS FROM START TO FINISH provides a fine guide to chained attacks and is a pick any network security library must have. Chapters cover new phishing attacks, how IT security can be vulnerable to wireless networks, how competitors' web sites are disrupted, and more. Each attack is analyzed one step at a time with the latest countermeasures - technical and human - covered. An outstanding presentation.
- Amazon Customer Review
• Needs Another Editorial Pass
12 July, 2009
The concept of the book is decent, albeit quite similar to the Stealing the Network series of books, wrapping theoretical hacking attacks into readable stories. Unfortunately, the execution suffers from several problems.
The narratives are all over the place and rarely bear any resemblance to each other. The stories follow the work of "Phoenix", a hacker who alternates from being someone that dresses poorly enough to be mistaken for a homeless person, performing attacks under duress as a shadowy employer threatens his girlfriend, to someone who has quit his job to live in a 3500 square foot house from the income he gets renting out large botnets.
The book suffers from too-many-authoritis, and each author has a very different writing style that makes each story different from the last. One author is very good at working different tools into his story, while one author feels compelled to list every tool that could possibly be used to pick a lock or sniff wireless traffic.
"Although Phoenix will not be using all these tools in his exploit, he could use:
-Tool A: Long description from the tool's website
-Tool B: Long description from the tool's website
-Tool C: Long description from the tool's website"
A few of the attacks are somewhat clever, while the majority are unneccessarily complex, apparently needing to hit a quota of different tools. In an attempt to find out what websites Phoenix's boss is browsing on a computer a few feet away, he decides to not use ARP Poisoning, MAC spoofing, or MAC flooding (although he discusses how each would work) in favor of using phishing to install a trojan to TFTP over a copy of netcat that he uses to manually install WinPcap so that he can trace a TCP stream in Wireshark in order to cut and paste a dump of the network traffic into a Hex Editor to save out a JPEG file. Apparently Phoenix is not a fan of simplicity.
The usage of tools is also all over the place. Sometimes he jumps right into using complex tools, while one story (the particularly egregious social engineering chapter) walks through Phoenix getting confused by how to choose the keyboard language when booting an Auditor CD.
The book would also benefit from another pass by an editor. One chapter begins with a backstory that clearly presupposes the reader has a clue about some past dealings that Phoenix has had with another character. The next story is where Phoenix is introduced to the character for the first time. Elsewhere, Phoenix decides to use his Vista based laptop, and a few pages later he is using that laptop and booting up into Windows XP. While the introduction includes the standard disclaimer that everything in the book is potentially illegal and should only be done in a lab, some authors throughout the book felt compelled to instert similar disclaimers that were unneccessary and should have been caught by the editor.
All-in-all, the book is okay, especially for someone new to the field of penetration testing who would like a little real-world context around how different tools might be use in conjunction with each other. If a second edition of this book is ever released, it could really use another pass by an editor to fix some silly errors and to help the authors speak in a unified voice. For me, the issues I mentioned above made the book somewhat difficult to read and enjoy.
- Amazon Customer Review
• Good Read!
20 June, 2009
It is basically a collection of fiction stories, where the lead character uses non-fiction techniques to accomplish the "jobs" he was given.
This book is entertaining and was well written. Once I started reading it, I couldn't put it down.
- Amazon Customer Review
|
