Honey can I hack ya?

Apr 5, 2002 (Updated Apr 5, 2002)
Review by  
Rated a Very Helpful Review

Pros:Completely organized, well-written, complete, and as up to date as possible.

Cons:bad hackers can read it too, would have liked more case studies.

The Bottom Line: Hacking Linux Exposed is a book no Linux system administrator should be without.

If you have a vulnerable computer attached to the BIG BAD INTERNET, sooner or later your box will be compromised. Notice I prefer the term compromised to hacked. Hacking is a benign activity. You hack out of curiosity and [hopefully] with prior permission. Can this be done? Can I get into this box? How is he trying to keep me out? What stone has he left unturned? Woops: He has a bulletproof firewall but he left this one vulnerable cgi script in his httpd directory: HA! I'M IN! At that point the correct thing to do is to stop and notify the hackee. But once a hacker gets in, (especially if he is there without permission) the temptation to quietly mess around and cover his guilty tracks is usually overwhelming. Then it has gone from hacking to compromising someone else's box.

You may ask: why hack? when everybody has their own box nowadays. I think it's for the challenge. Hacking is very similar to playing Riven or similar computer games where you gather information and use it to achieve a goal [usually root access in a Linux box.] But, after they root you, they may want to use your box at the very least as a free playground, and at the very worst, to steal your data or try to frame you for an attack on some other network.

If you don't mind contributing to the poor underprivileged script kiddies' Mbps fund, or having your hard drive scanned and changed at the whim of an adolescent, don't worry about security.

Otherwise, if you have a Linux box, read this book!! If you have a Windows box, you might want to skim it as well. Some of the cracks it discusses are launched from Linux space, but they can work in any network space. The same authors also have a Hacking Exposed title which is centered on Windows. I hope to review it soon.

The book is organized into five major sections--thirteen chapters and four appendices. The major sections are:

I. Locking into Linux: Provides a security overview, outlines proactive measures you can take to secure your box, disaster recovery procedures, and how to identify other types of vulnerabilities.

II. Getting in from the Outside: This is the type of compromise people fear the most: It discusses social engineering, physical access cracks, breaking in over the network, and network abuse.

III. Local User attacks: Discusses how a local and at least somewhat trusted user can jack up their status to do things they're not supposed to, password cracking, and backdoors, since once a cracker breaks in from outside, the first thing he or she does is make him/herself a highly privileged local user and install hidden playgrounds for him or herself.

IV. Server Security: How crackers abuse email and web servers in particular, and how to configure Linux firewalls to nip them in the bud.

V. Appendices: Mainly a reference section on where to go for patches, but the last appendix is a series of three case studies. I found the case studies in particular very interesting!!!

This book covers all the bases and goes into just the right amount of depth. It assumes some familiarity with CLI Linux. It gives you a basic understanding of each cracking technique with examples whenever possible. If the size or complexity of the example would be too voluminous, they refer you to the web where you can read the whole thing. All the websites I have referred to from this book so far have been up-to-date. The writing style is head and shoulders better than a lot of technical books I own.

Three warnings: These are things I had already heard, but after reading this book it is totally stark:

NEVER use telnet or FTP! It's child's play to sniff these
and there are encrypted alternatives that are just as easy to use.

NEVER trust anything coming into you from the web! It's also child play to put hacks into web form data.

NEVER tell anyone anything they don't need to know, such as hostnames, user names, tel no's, type of hardware, network layouts, IP numbers, database schemata, or what type of firewall you use. You may think this stuff is benign but a skilled hacker can use it against you.

So far I have hacked all the workstations on my own LAN. I have also discovered vulnerabilities on two external networks that I own as if I were an outsider (i.e. not using the admin password or internal knowledge)
I have hacked two friends with permission (one running Windows). Both of these friends were happy that it was I who found their Achilles heel and not some seventeen year old in Singapore.

[Disclaimer: This book is freely available. As with any tool, it can be abused. An axe can be used to split firewood, or for an axe murder. This book can be used constructively or otherwise. It is powerful stuff. Some of the things in it could easily land you in MAJOR hot water, as in hard time -- lots of it, and banning from computers. You have been warned.]

Recommend this product?

Share this product review with your friends   
Share This!