Authors: Andrew Whitaker, Keatron Evans, Jack B. Voth
Publisher: Addison-Wesley Professional (www.informit.com/aw)
Companion Web site to book: www.chainedexploits.com
Published: February 2009
ISBN-10: 0-321-49881-x
ISBN-13: 978-0-321-49881-6
Format: Soft cover, 312 pages
Price: $49.99 (plus free access to an online edition of the book after purchasing the hard copy version)
Dealing with “Chained Exploits”
In the book appropriately titled “Chained Exploits: Advanced Hacking Attacks from Start to Finish”, the advanced hacking attack technique of “chained exploits” is defined as being “an attack that involves multiple exploits or attacks. Typically a hacker will use not just one method, but several, to get to his or her target.” Such an approach, by its very nature, makes these attacks hard to defend.
However, it’s likely that many people, especially those IT professionals charged with securing their organizations’ systems, will have mixed feelings about the contents of this particular book. The reason for that is understandable when you learn that this book not only explains how to defend against chained exploits but also that it provides, controversially, information about how to perform those types of exploits as well. In fact, in the book’s introduction it is stated that “most of what this book covers is completely illegal if you re-create the scenarios and perform them outside of a lab environment.” But the book’s three authors, Andrew Whitaker, Keatron Evans, and Jack B. Voth, are also quick to defend themselves by saying that their book “is necessary in the marketplace to educate others about chained exploits.” From the experiences that they have collectively gained by helping “secure hundreds of organizations”, they report that “the biggest weakness we saw was not in engineering a new security solution, but in education. People are just not aware of how attacks really occur. They need to be educated in how the sophisticated attacks happen so that they can know how to effectively protect against them.”
“Chained Exploits: Advanced Hacking Attacks from Start to Finish” consists of a short introduction plus eight further chapters. The “star” of the book is a fictional character called Phoenix, and throughout the book, readers can follow Phoenix’s motivations and actions for the attacks that he plans and subsequently carries out. For instance, in the opening chapter of the book, Phoenix devises what he regards as the perfect plan for “getting back at his bank” when the bank ups his credit card rate to 29% simply because he was late making one payment on his largish outstanding debt of $12,000.
Each of the chapters in “Chained Exploits: Advanced Hacking Attacks from Start to Finish” follows the same format. Each chapter begins with a section called “Setting the Stage” which provides the background information about the specific “chained exploit” to be investigated in that chapter. For example, “Setting the Stage” in chapter one, as briefly discussed above, contains the background information as to Phoenix’s planned attack on his bank. The next section of each chapter is then concerned with the “approach” that Phoenix is going to take. So, for example in chapter one, the authors of the book point out that Phoenix’s approach here is to “gather information about the bank’s Web site and find a way to compromise the bank through its Web site. Then he will hack into the bank’s Web site and attempt to steal credit card information. Although he could just use someone else’s card to pay off his debt, he thinks this might raise too much suspicion when the card owner discovers a $12,000 payment. Instead, Phoenix plans on selling the credit cards that he steals from the bank on the underground market. After receiving payment, he can pay off his debt.”
The third section of each chapter presents the specific details of how the “chained exploit” is to be accomplished. Again referring to chapter one from the book as an example, the execution of the “chained exploit” there involves a series of activities such as 1) enumerating the bank’s Web site, or, in other words, learning as much as possible about that site, for instance, the operating system and Web server version running on the site, etc.; 2) enumerating the credit card database; 3) stealing the credit card information from the bank’s site; 4) the on-selling of the credit card information to the underground market; and 5) defacing the bank’s Web site. According to the book’s authors, “defacing a Web site is a common attack used by malicious hackers when they want to get a message across. Often it is a form of hacktivism, where malicious hackers want to deface a site for political or religious reasons. But in this case Phoenix is doing it to protest the recent rise in the credit card interest rate.”
For the majority of readers of this review however, it will be the fourth section of each chapter that will be most eagerly read since that’s where the authors of the book reveal the different types of countermeasures that can be taken to thwart each “chained exploit”. The authors of the book encourage readers to actively compare the information contained in these sections with the readers’ own organizations’ “security policies and procedures to determine whether your organization can or should deploy these countermeasures.”
The second chapter of the book, titled “Discover What Your Boss Is Looking At”, is available online as a sample chapter from the Web site of the book’s publisher, Addison-Wesley Professional (www.informit.com/aw). In this particular chapter, Phoenix becomes upset with his boss when the boss decides that, from now on, all employees, including Phoenix, will have their email monitored to ensure that any messages being sent and received are only work-related. The censorship situation is further inflamed when the boss also informs Phoenix that his “Web surfing” too will be scrutinized to ensure that no personal use of the Internet is made during working hours. To enforce this, the boss tells Phoenix that he will no longer be permitted to delete his own Web browser’s history. In retaliation, Phoenix decides to “turn the tables on his boss” by spying on his boss’s online activity, and therefore hopefully exposing the boss himself for misusing email and the Net for non-work related activities. By the way, when you venture online to read this sample chapter, you might also like to take to opportunity to read a bonus article published on the site as well – it is titled “Top 10 Social Engineering Tactics.” Access to that article is via the “Extras” tab that has been set up in the Web pages reserved for this book.
Let’s now take just a brief look at the other sorts of “chained exploits” covered in the remaining six chapters of the book:
• Chapter 3: Temporarily taking down a competitor’s Web site so that the site’s contents can’t be accessed at a critical time of its operation.
• Chapter 4: Carrying out corporate espionage, for example, by stealing vital information from a competitor’s research facility in order to gain a market edge over that competitor.
• Chapter 5: A “chained corporation” attack. The authors of the book define such attacks as “attacks that originate through one company, and end in the compromise of a peripheral company.” The book’s authors lament the fact that “we often go to great lengths to secure our networks, tighten our applications, and lock down nodes. But few companies ever stop to look at the infrastructure of the companies they blindly allow access into their network.”
• Chapter 6: In this chapter Phoenix is engaged to break into an electronic medical records system and access health-related information in order for that information to be subsequently used illegally.
• Chapter 7: Attacking social networking sites. The aim of this particular chained exploit is for Phoenix to hack into an aspiring politician’s account on a social networking site, temporarily take over that person’s social networking identity, and then to discredit that person by sending out propaganda to ensure that the person is “detested by the public.”
• Chapter 8: In this final chapter of the book, Phoenix causes trouble when he hacks into an organization’s wireless based network, with the ultimate aim of stealing information about members of that organization.
There is little doubt that the content of “Chained Exploits: Advanced Hacking Attacks from Start to Finish” will shock a lot of people – for a couple of different reasons. Firstly, some readers will be upset that so much practical information is presented that could be used in the wrong way against either individuals or organizations. Secondly, it’s more likely though that the majority of readers will be shocked because they will see clearly, maybe for the first time, just how vulnerable they and their organizations are, to attack from malicious hackers. So I urge you to read the book to find out how to set up the best defense strategies possible against chained exploits, rather than wait until a hacker strikes.
In conclusion, it is worth noting too that, although a companion Web site to the book has been set up at www.chainedexploits.com, there was little content available there when this review was being written. In fact, only a single video was available for download, its title being “Client Side Exploit Against Windows Vista.” Hopefully when you yourself visit the site, this situation will have been rectified, with more information for you to browse through, and then to refer back to whenever the need arises.