Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security CISSP-Discussion
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[CISSP-D] REVIEW: "The Database Hacker's Handbook", David Litchfield/Chr

from [Rob, grandpa of Ryan, Trevor, Devon & Hannah] Network Security [Permanent Link]
Subject: [CISSP-D] REVIEW: "The Database Hacker's Handbook", David Litchfield/Chris Anley/John Heasman/Bill Grindlay
Date: Mon, 30 Oct 2006 10:49:55 -0800 
BKDBHKHB.RVW   20060913

"The Database Hacker's Handbook", David Litchfield/Chris Anley/John
Heasman/Bill Grindlay, 2005, 0-7645-7801-4, U$50.00/C$64.99/UK#31.99
%A   David Litchfield
%A   Chris Anley
%A   John Heasman
%A   Bill Grindlay
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   2005
%G   0-7645-7801-4
%I   John Wiley & Sons, Inc.
%O   U$50.00/C$64.99/UK#31.99 416-236-4433 fax: 416-236-4448
%O  http://www.amazon.com/exec/obidos/ASIN/0764578014/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/0764578014/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0764578014/robsladesin03-20
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   500 p.
%T   "The Database Hacker's Handbook: Defending Database Servers"

In the brief and disjointed preface and, similarly, introduction (two
pieces which could easily have been combined), we are told that the
book is intended for database administrators, network administrators,
security auditors, and security professionals.  However, there are
implications, right from the start, that this is a "hack to secure"
book and that, instead of real database security, we are going to be
dealing only with server engine bugs.

Part one is an introduction.  Chapter one is supposed to tell us why
we should care about database security, but instead still seems to be
dancing around the issue of bugs in engine code, and particularly the
bugs that the authors (and their relatives) have found.

Part two is about Oracle.  Chapter two tells us something of the
oracle architecture, obfuscated by packet dumps and pages of code for
programs to attack parts of the system.  More of the same is in
chapter three, and, from the examples, it is not always clear how some
of these "attacks" differ from the simple ability of authorized users
to make changes to the system.  Possible operating system and network
attacks related to Oracle's command system are outlined in chapter
four.  Chapter five recommends various configurations and options for
making an Oracle database server more secure.

Part three looks at DB2.  Chapter six is an introduction to the
product (and pages of code for an authentication request).  Then there
are more pages of programming for finding a DB2 server (chapter seven)
and attacking it (eight).  Chapter nine is a terse mention of some
factors to consider when securing the system.

Part four reviews Informix, with architecture (ten), attack code
(eleven), and configuration for security (twelve).

Sybase gets the same treatment in part five.  This time the code (in
chapter fourteen) just gets the version number and chapter fifteen
looks at commands that can be passed to the network.

The popular MySQL is dealt with in part six.  Since the product is
open source, the examination of the architecture, in chapter
seventeen, is more detailed and the advice on configuration, in
chapter twenty, is equally extensive.

Part seven chooses SQL Server as its topic.  Architecture, attack,
hardening: no surprises.

Part eight turns to PostgresSQL.  Same.

OK, we get it.  Unpatched applications have holes.  Big surprise.  The
authors have provided very little that will be of use to database
administrators, network administrators, security auditors, and
security professionals.

copyright Robert M. Slade, 2006   BKDBHKHB.RVW   20060913


======================  (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca     slade@victoria.tc.ca     rslade@computercrime.org
        Microsoft is not the ANSWER.  Microsoft is the QUESTION,
                        and the ANSWER is NO!
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm


 
Yahoo! Groups Links

<*> To visit your group on the web, go to:
    http://groups.yahoo.com/group/CISSP-Discuss/

<*> Your email settings:
    Individual Email | Traditional

<*> To change settings online go to:
    http://groups.yahoo.com/group/CISSP-Discuss/join
    (Yahoo! ID required)

<*> To change settings via email:
    mailto:CISSP-Discuss-digest@yahoogroups.com 
    mailto:CISSP-Discuss-fullfeatured@yahoogroups.com

<*> To unsubscribe from this group, send an email to:
    CISSP-Discuss-unsubscribe@yahoogroups.com

<*> Your use of Yahoo! Groups is subject to:
    http://docs.yahoo.com/info/terms/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [CISSP-D] REVIEW: "The Database Hacker's Handbook", David Litchfield/Chris Anley/John Heasman/Bill Grindlay, Rob, grandpa of Ryan, Trevor, Devon & Hannah <=
Previous by Date:  RE: [CISSP-D] CISSP practise Questions, Rob R.
Previous by Thread:  [CISSP-D] REVIEW: "Writing Secure Code", Michael Howard/David LeBlanc, Rob, grandpa of Ryan, Trevor, Devon & Hannah
Indexes:  [Date] [Thread] [Top] [All Lists]