Over the last five years, a number of books have been released that purport to teach the tools and techniques of computer hackers--Halting the Hacker (Prentice-Hall, 1996) by Pipkin, and Hacker Proof (Jamsa Press, 1997) by Klander and Renehan, to name two--but the quality has recently improved.
In particular, two books have crossed my desk that have either Hack or Hacker in the title or subtitle (a prerequisite, I suppose) and each has merits. Hacking Exposed, Second Edition (McGraw-Hill, 2001), by Joel Scambray, Stuart McClure, and George Kurtz, and Maximum Security, Third Edition (Sams, 2001), by anonymous, are 700 and 860 page volumes respectively, stuffed with tips, techniques, and tools allegedly used by the hacker intelligentsia to make your life miserable.
Let's be clear about one thing: the goal of these books isn't to help you become a computer villain. Rather, they claim to help you understand the techniques used by computer hackers so that you're in a better position to test your defenses and protect against intrusions. Among other things, the books help you do "ethical hacking," which is the use of hacker tools and techniques to test the mettle of your security defenses (see my previous column for details).
Still, both books could be used as training tools for budding network system crackers. While it is easy to find Web sites with hacking tools that you can download and play with free, these books provide the guidance to understand the tools and to use them effectively.
This is a good thing. Some might view books about hacking as metaphorically handing out guns to teenagers at the local bookstore. But, clearly a lot of 45-year-olds need to learn about these things. Ultimately, the more widely the techniques are understood, the easier it will be to defend against them.
So just how easy is it to get inside the criminal mind? Let's take a look at the books and what they offer.
Hacking Exposed is the best book I've seen so far for learning hacking techniques. The book is authoritatively written, well organized, and includes specific techniques for Novell's NetWare, Unix system flavors, and the various Windows operating systems. The quality and depth of the information in this book is scary.
This book doesn't have a companion CD-ROM, which is probably just as well. CD-ROMs accompanying books are notoriously flaky and they tend to go stale rapidly. Instead, the authors have a Web site with lots of links to applications, security sites, and scripts mentioned in the book.
The "lead author" of Maximum Security is anonymous (a cute marketing gimmick?), but the inside cover lists 13 contributing authors. Despite its subtitle, A Hacker's Guide to Protecting Your Internet Site and Network, this book is less focused on hacking techniques. Instead, the authors try to provide the background for approaching site security, an ambitious undertaking.
Maximum Security discusses security issues at a higher level, with less detailed analysis of hacker tools and a more strategic, managerial tone. It also has interesting, brief, platform-specific sections on VAX/VMS, Macintosh, and Cisco routers and switches, as well as in-depth sections on Novell, Microsoft, and Unix flavors. Its CD-ROM contains a number of well-known tools for hacking, testing, and managing network security.
These two books can help you get inside the hacker mind, but at the rate new attacks are discovered and dissected, they'll need an update at least every six months. Still, there's no better way to start thinking like your enemy.
Are these books the equivalent of giving free weapons to the script kiddies of America? Share your opinion at Jason Levitt's Listening Post discussion forum.