Rothstein Associates Inc.

INSIDE INTERNET SECURITY:
WHAT HACKERS DON’T WANT YOU TO KNOW
by Jeff Crume

“Understand the real issues of Internet security -- without getting lost in the complexity!

- 16 key vulnerabilities hackers don't want you to recognize -- and what to do about
them!
- Building computer security policies that really work -- and avoiding policies that
are guaranteed to fail.
- A broad-based multi-platform approach, with special insider's insights into
IBM-centered environments.

“Inside Internet Security is the practical, accessible, real-world security guide for everyone
who designs or manages business-critical networks. IBM Tivoli Systems consultant Jeff
Crume demonstrates how many hacker attacks are little more than "variations on a theme":
tried-and-true, well-known attacks that only succeed because IT professionals choose to
ignore their vulnerabilities. Crume shows how hackers think and work; how to assess your
risk, how to build security policies that teach -- and how to avoid creating policies that are
doomed to fail. He reviews the key network security risks hackers don't want you to know
about: the limitations of firewalls, passwords and anti-virus software; security risks in
downlevel software; dangerous default settings; obsolete cryptography; backdoors, and
many
more. Next, he presents a high-level guide to defending yourself, focused on the human and
management issues that are at the heart of most information security failures. For all
enterprise network administrators, designers, and managers.

- - - - - -

“ This book is a practical guide for anyone designing or administering a corporate or
e-business network that runs across a number of platforms via the Internet. It will arm
systems
administrators with a thorough understanding of the problems of network security and their
solutions, and thus help realize the tremendous potential of e-business.

“With the explosion growth of e-commerce and the opening up of corporate networks to
external customers, security is now the number one issue for networking professionals.
Concerns about hackers and the possible damage they can do to a business, and the
potential vulnerabilities of a system can be overwhelming and can create an unhealthy
business environment.

“However, a great deal of this is based on lack of information as to exactly how hackers
approach their task, and of the exact vulnerabilities that they prey on. In this book, Jeff Crume
dispels this fear by putting these threats into perspective and allowing realistic defense
mechanisms to be created, to the extent that security becomes a business enabler, rather
than inhibitor.

“Inside Internet Security describes the underlying principles that crop up again and again in
hacker attacks, and then progresses focus on lessons that can be learned, and on how to
protect against recurrence.”
- - - - - -

FEATURES:

- Practical hands-on advice on securing networked systems
- Security checklists for common scenarios
- Pointers to other detailed information sources
- In-depth theoretical background information
- Real-world Examples of actual attacks
- A glimpse into the future of IT security

- - - - - -

“The more things change, the more they stay the same ... These days it seems that we are
inundated with a constant stream of news about the dangers of doing business on the
Internet. Whether it be a new computer virus making the rounds, compromised credit card
numbers, or a vandalized web page, hacking attacks abound. The simple truth behind the
headlines, however, is that most of these "new" exploits aren't really all that new after all.
Most
are merely a variation on a theme and, as such, could have been prevented with proven
techniques and tools.

“My intention in writing this book was to get to the heart of some of the most common
vulnerabilities and dispel the myths that allow them to propagate. There are any number of
excellent books on cryptography, firewalls, etc. already on the bookshelves and most of them
provide tremendous detail, which is useful for security experts. I tried to write this book for a
somewhat different audience -- IT professionals and their managers who need an
understanding of the issues but who are not, themselves, security experts.

“My hope is that by putting the information that is well-known to malicious hackers into the
hands of the "good guys", that legitimate organizations will be better able to defend
themselves from attack and that, as a result, we will all be better able to enjoy the benefits of
e-business.”

- - - - - -

“A practical guide for those who design or administer corporate or e- business networks that
run across a number of platforms via the Internet. Describes underlying principles of hacker
attacks, and tells how to protect against such attacks, with advice on securing networked
systems, security checklists for common scenarios, theoretical background information, and
real world examples of actual attacks. Crume is a veteran programmer and security
specialist.” - Book News, Inc.

- - - - - -

CONTENTS

Preface.
Introduction.
Magic or just a trick?
Striking the right balance.
'Hacker' disclaimer.

I. SIZING UP THE SITUATION SECURITY CONCEPTS.

1. Bringing down the Net.
Talking the talk.
Insecure from the start.

2. Is it safe?
Rising from the ashes.
You can't have it all.
The hacker's obstacle course.
The lesson of Lord Lovell - or - Too much of a good thing?
But what's all this going to cost?
News from the front.

3. What is a hacker?
Homogenized hackers?
Portrait of a hacker.
The joy of hacking.
What do they want?
The real payback.
An eye for an eye.
Cyberterrorism.
Hacking for fun and profit.
Prime-time hacking.
You've got the money and they've got the time.

4. Analyzing the risks (and counting the costs).
Risk Analysis or post mortem.
Acceptable risk.
Sizing up the situation.
Cumulative insecurity.
A meteorite-proof car?
Cost-effective countermeasures.
Evaluating countermeasures.

5. The role of policy.
How to mess up a security policy without even trying.
KISS that policy goodbye.
Policy that teaches.
Getting it right.
6. Putting all the pieces together.

II. THE HACKER'S EDGE: INTERNET SECURITY VULNERABILITIES.

7. What you don't know can hurt you.
Gotcha!

8. Hackers don't want you to know that ... firewalls are just the beginning.
What is a firewall?
Under the hood.
What a firewall can do.
Drawing the battle lines.
What a firewall should not do ... .
Firewalls and policy.
Holes in the firewall filter.
Traditional firewall options.
Firewalls, firewalls, everywhere ... .
Keeping the firewall in its place.

9. Hackers don't want you to know that ... not all the bad guys are 'out there'.
Model employee or spy?
Good firewalls make good neighbours.
Managing the revolving door.

10. Hackers don't want you to know that ... humans are the weakest link.
Hacker or con man?
It's a dirty job but somebody's going to do it.
I know who you are and what you did.
Plugging the leaks.
The spirit of the law.

11. Hackers don't want you to know that ... passwords aren't secure.
The problem with passwords.
Insecurity administrators?
Password guessing.
Password nabbing.
Password cracking.
Throwing the book at them.
Doing it the hard way.
Exceptions to the (password) rules.
Following the rules.
Sign me on.
Are you really you?
The burden of proof.

12 Hackers don't want you to know that ... they can see you but you can't see them.
What's that smell?
Aroma or stench?
The 'silent attack'.
Sniffing for sniffers.
Hanging up on the party line.
Moving to a private line.
Choices, choices, choices ... .

13 Hackers don't want you to know that ... downlevel software is vulnerable.
It's d‚j... vu all over again.
Pardon me, but your buffer is overflowing.
You're breaking me up.
This doesn't belong here!
A cure that's worse than the disease?
Exterminating the bugs.
Spreading the word.

14. Hackers don't want you to know that ... defaults are dangerous.
'De'faults are your faults.
The security afterthought.
Minding the virtual store.

15. Hackers don't want you to know that ... it takes a thief to catch a thief.
Levelling the playing field.
Eating from the same trough.
Keeping up with the hackers.

16. Hackers don't want you to know that ... attacks are getting easier.
A deal with the devil?
Tools of the hacker trade.
Coming in through the back door.
Burning bridges.
'You've got mail ... bombs'.
I hope you can swim.
Lowering the bar.
The bottom line.

17. Hackers don't want you to know that ... virus protection is inadequate.
Merry Christmas and a Happy New Worm.
One good worm deserves another.
Pick your parasite.
Where do they come from?
How do they spread?
I'm not feeling so well ... .
Epidemic or hysteria?
Publish and perish.
The virus is in the mail.
Viruses in the pipes.
Killer viruses!
The sky is falling!!!
Crying 'wolf'.
In search of a cure.

18. Hackers don't want you to know that ... active content is more active than you think.
Active hacking.

19. Hackers don't want you to know that ... yesterday's strong crypto is today's weak crypto.
Cracking 101.
The mathematician's war.
Strong crypto?
How strong is strong?
The politics of cryptography.
Securing the information highway for e-business.

20. Hackers don't want you to know that ... the back door is open.
Lessons from the battlefront.
High-tech defences.
The door swings both ways.
Dialling for dollars.
Switching off.
Locking the back door.

21. Hackers don't want you to know that ... there's no such thing as a harmless attack.
E-graffiti.
But it's only ... .
We've only just begun ... to hack.
Winning by losing.
'Unimportant' systems.

22. Hackers don't want you to know that ... information is your best defence.
The hacker's prize.
Your best defence.
Information for the masses.
Calling in reinforcements.
Winning the war.

23. Hackers don't want you to know that ... the future of hacking is bright.
I see more IT in your future.
Upping the ante.
Naked on the Net.
Networks out of thin air.
Cryptic solutions.
Computers everywhere.
The NC's niche.
Conclusion.

Appendix A: Crypto tutorial.
A.1. The 'key' to understanding crypto.
A.2. Symmetric cryptography.
A.3. Asymmetric cryptography.
A.4. The best of both worlds.
A.5. Getting 'carded' in cyberspace.
A.6. Digital ink?

Appendix B. VPN tutorial.
B.1. Inside the VPN tunnel.
B.2. VPN defined.
B.3. Virtual privacy or virtually private?
B.4. Standards, standards everywhere ... .
B.5. Opening the IPSec envelope.
B.6. Are you really you?
B.7. Just between you and me.
B.8. Who has the key?
B.9. The envelope, please ... .
B.10. And if that weren't enough ... .
B.11. The light at the end of the tunnel.

Glossary.
Bibliography.
Index.

- - - - - -

ABOUT THE AUTHOR

Jeff Crume is a Consulting IT/Security Specialist with IBM's Tivoli Systems organization in
Raleigh, NC. He has worked as a programmer, product designer, technical support
specialist, and systems engineer during his 16 years with the company. During that time, he
helped lead development for the initial release of IBM's NetView network management
software, and was awarded a U.S. patent for his work on message forwarding and loop
detection.

- - - - - -
2001, 270 pages. Order #DR592.
- - - - - -

4 Arapaho Rd.

Brookfield, CT 06804-3104

1-888-ROTHSTEin

Telephone: 203.740.7444; 888.768.4783

Fax: 203.740.7401

All bookstore enquiries should be sent to Rothstein Associates at the above address.

Looking for Practical Knowledge?