REVIEW: "Zero Day Threat", Byron Acohido/Jon Swartz

Discussion in 'Computer Security' started by Rob Slade, doting grandpa of Ryan and Trevor, Jun 8, 2009.

  1. BKZRDYTH.RVW 20090120

    "Zero Day Threat", Byron Acohido/Jon Swartz, 2008, 978-1-4027-5695-5,
    U$19.95/C$21.95
    %A Byron Acohido
    %A Jon Swartz
    %C 1 Atlantic Ave, #105, Toronto, ON, Canada M6K 3E7
    %D 2008
    %G 978-1-4027-5695-5 1-4027-5695-X
    %I Sterling Publishing Co., Inc.
    %O U$19.95/C$21.95 800-805-5489
    %O http://www.amazon.com/exec/obidos/ASIN/140275695X/robsladesinterne
    http://www.amazon.co.uk/exec/obidos/ASIN/140275695X/robsladesinte-21
    %O http://www.amazon.ca/exec/obidos/ASIN/140275695X/robsladesin03-20
    %O Audience n Tech 1 Writing 2 (see revfaq.htm for explanation)
    %P 297 p.
    %T "Zero Day Threat"

    The title here is definitely misleading: the authors have just taken a
    sensational term and stuck it on a book about "the shocking truth of
    how banks and credit bureaus help cyber crooks steal your money and
    identity." Now, as a malware researcher, I'm delighted to see them
    state, right off the top, the rather bitter truth that security is in
    such a sorry state because the general populace demands convenience
    over security, and major companies are willing to give it to them.
    I'm not quite as happy to find that Acohido and Swartz don't fully
    understand what a zero day threat actually is. I'm willing to suspend
    judgment for a while based on their very useful division of each
    chapter into exploiters (traditional blackhats and opportunists),
    enablers (those who build weak infrastructures), and expediters (those
    who, in various ways, make the problem worse). It's good to see that
    the authors aren't just retailing the common "oooh, teenage hackers!"
    stories, and realize that the situation is complex, and involves the
    interacting behaviours of many different parties.

    The synergy of this approach is not demonstrated in chapter one. Of
    the three parts of the chapter, the first talks about some drug
    addicts involved in dumpster diving for credit card and bank account
    information, the second briefly notes the speed and volume of credit
    card transactions, and the third examines a few of the malware
    instances around the year 2000. It is not clear what these have to do
    with each other. Subsequent chapters follow up on these stories. The
    tales start to interweave at about chapter five, but few connections
    are made between the items in the content, and those that do exist
    seem to be almost random. A final chapter in the book, eighteen, is
    entitled "What Must Be Done." Unfortunately, it is overly broad, and
    not very specific, reducing to an assertion that we need better
    financial activity oversight and review, better Internet
    infrastructure, and better security in operating systems and other
    software. Appendix A, on personal security, contains a fairly
    pedestrian collection of advice on credit card, financial, computer,
    and Internet security. All of the recommendations would help increase
    the safety of most people: sadly they do not exhaust the possible
    avenues of attack, and many of the suggestions are not completely
    within the capability of the average user. (For example, yes, it is a
    good idea to use strong passwords that are long, and contain a mix of
    characters, and to change those passwords on a regular basis. The
    trick is to teach people ways of creating passwords such that the user
    can remember them, and attackers can't. As a second instance, it is
    dangerous to click on any banner ad or popup window: what proportion
    of those who use the Internet regularly can identify those entities
    when they appear?)

    Acohido and Swartz demonstrate, as David Rice did in "Geekonomics"
    (cf. BKGKNMCS.RVW), that financial entities have little incentive
    either to take serious steps to reduce electronic fraud, or to protect
    consumers (or merchants) from losses due to fraudulent transactions.

    The authors have done an excellent job of research in the narrative,
    at least as far as events in the public record are concerned. There
    is also evidence of commendable exclusive investigation to confirm or
    enhance specific areas. Unfortunately, the technical material has
    little depth, and is somewhat suspect when dealing with specialized
    areas.

    Overall, the stories of the blackhat community are entertaining, the
    tales from the financial world emphasize dangers that should be
    stressed, and the narratives from the malware environment provide a
    history (more social than technical) of major recent infestations.
    The work contains a wealth of stories that could be used to promote
    security awareness, but doesn't otherwise provide a significant source
    of security assistance.

    copyright Robert M. Slade, 2009 BKZRDYTH.RVW 20090120

    --
    ======================

    "Dictionary of Information Security," Syngress 1597491152
    http://blogs.securiteam.com/index.php/archives/author/p1/
    http://blog.isc2.org/isc2_blog/slade/index.html
    http://twitter.com/rslade
    ============= for back issues:
    [Base URL] site http://victoria.tc.ca/techrev/
    CISSP refs: [Base URL]mnbksccd.htm
    Book reviews: [Base URL]mnbk.htm
    Review mailing list: send mail to
    or
     
    Rob Slade, doting grandpa of Ryan and Trevor, Jun 8, 2009
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Silverstrand
    Replies:
    4
    Views:
    801
    unholy
    Jun 27, 2005
  2. Covad Technical Support

    Testing for Jon

    Covad Technical Support, Nov 12, 2003, in forum: Computer Support
    Replies:
    3
    Views:
    469
  3. Rob Slade, doting grandpa of Ryan and Trevor

    REVIEW: "Cryptography and E-Commerce", Jon C. Graff

    Rob Slade, doting grandpa of Ryan and Trevor, Nov 28, 2003, in forum: Computer Security
    Replies:
    0
    Views:
    644
    Rob Slade, doting grandpa of Ryan and Trevor
    Nov 28, 2003
  4. Rob Slade, doting grandpa of Ryan and Trevor

    REVIEW: "Disaster Recovery Planning", Jon William Toigo

    Rob Slade, doting grandpa of Ryan and Trevor, Jan 5, 2004, in forum: Computer Security
    Replies:
    0
    Views:
    588
    Rob Slade, doting grandpa of Ryan and Trevor
    Jan 5, 2004
  5. Au79

    Another zero-day threat hits Windows

    Au79, Sep 29, 2006, in forum: Computer Support
    Replies:
    19
    Views:
    760
Loading...

Share This Page