Book Reviews: Information Security Books and Product Reviews – Low Tech Hacking

Book Title: Low Tech Hacking

Subtitle: Street Smarts for Security Professionals

Author(s): Jack Wiles, Dr. Terry Gudaitis, Jennifer Jabbusch, Russ Rogers, Sean Lowther. (Technical Editor: Neil Wyler)

Publisher: SYNGRESS (an imprint of Elsevier)

Date of Publishing: January 2012

ISBN(13): 9781597496650

Price (UK&US price – full price, not discounted price): £30.99,   $49.95

URL of Amazon UK web page:  Low Tech Hacking: Street Smarts for Security Professionals

URL of Amazon UK (Kindle) web page:  Low Tech Hacking: Street Smarts for Security Professionals  

URL of Amazon US web page: Low Tech Hacking: Street Smarts for Security Professionals

URL of Amazon US (Kindle) web page: Low Tech Hacking: Street Smarts for Security Professionals

This book consists of eight chapters written by five authors, assisted by a Technical Editor. Perhaps unsurprisingly, the result is a bit of a mish-mash with little in the way of a coherent overall theme. In fact, it is necessary to read the Introduction fairly carefully in order to work out who was responsible for writing which chapter.The book’s title is slightly misleading in that much of the content has little to do directly with IT. Instead, “hacking” is extended to cover many aspects of physical security and social engineering. Nor is it clear exactly who the intended audience is. The “Security Professionals” of the subtitle should already be aware of many of the ruses described here (although they might find some of the specific examples interesting). However, several chapters are relevant to anyone who has Internet access or is concerned about the security of their home.The first three chapters are all written by the book’s main author, Jack Wiles, who has an extensive background in physical security and who (accurately) describes his contribution as a “potpourri of tips, tricks, vulnerabilities, and lessons learned.” His first chapter focuses on social engineering, both carried out remotely and as a means of gaining physical access to supposedly secure facilities. However, some more technical aspects of information security are also considered. There is, for example, an interesting discussion on the usefulness (or otherwise) of AV, IDS/IPS and firewalls compared with the benefits offered by ‘white list’ based execution control, which is increasingly being seen as something of a panacea . (The author does not consider defences against non-malware based attacks, such as DDoS.)In his second chapter, “Low Tech Jack” offers a more detailed consideration of physical security, both in the office environment and at home. There is probably little here that anyone used to carrying out physical security assessments would find remarkable, although the material might be of general interest to non-specialist readers. Some may feel that the author’s advice on security measures around the home borders on the paranoid.Chapter 3 is devoted to physical locks and lock picking – which the author again considers to be a form of hacking. Mr. Wiles is very knowledgeable about the subject but, unless you share his obvious enthusiasm, you might find the presentation rather tedious. (Readers in need of a still more complete treatment of the subject could turn to one of the reference works cited by the author.) There is a considerable degree of repetition in this chapter, which seems to be the result of slipshod editing rather than serving any useful purpose.The next chapter, written by Jennifer Jabbusch, is on hacking wireless networks and is by far the most technical part of the book. Ms. Jabbusch presents no fewer than 30 possible attacks, each of which is assigned a ‘Low Tech Level’ ranging from 0.5 – 5, where 0.5 covers the use of aluminium foil (paper clips etc.) to short-circuit an antenna and 5 relates to a Layer 2 DoS ‘Farewell attack’, in which clients are forced to de-authenticate and/or disassociate from a network AP. Although some of the names that the author assigns to the various attacks are rather silly, this chapter is better written (and better edited) than most and provides a useful introduction to wireless technologies and vulnerabilities.In Chapter 5, Dr. Terry Gudaitis returns to a mostly non-technical theme by looking at how the average citizen can inadvertently disclose a considerable amount of information about their personal background and habits, and how this information can be harvested. Unsurprisingly, the focus is largely on the Internet and, in particular, the use of social networking sites. Whilst some of these insights might be come as a shock to the casual reader, there is little here to surprise the IA professional. The author includes a list of websites and search engines that can be used for surveillance purposes, although many of these seem geared predominantly to US consumers. The chapter concludes with a list of recommendations to improve your online security, some of which look more practicable than others.There then follows a (fairly brief) chapter by Russ Rogers which considers the social engineering aspects of penetration testing, culminating in a case study of a successful attempt to distribute Trojan-laden USB drives at a corporate conference in Las Vegas. After this, we are back in the hands of Low Tech Jack (Wiles) who, in Chapter 7, provides advice on where victims of the kinds of ‘hacking’ described in the book can turn for help. The material largely consists of interviews with a retired Secret Service agent and an FBI Special Agent, whose advice will be of very limited use to anyone outside the United States. (Perhaps I’m just an Old World cynic, but ending an interview with phrases such as “Thanks for always being there for us, Tony” or “Thanks for everything you do to keep us safe, Greg” does make me feel a bit queasy.) Finally, Sean Lowther describes how he went about creating an Information Security awareness programme within a large corporation. The intended audience here is presumably rather different from the rest of the book, with the advice, clearly based on hard-won experience, covering such areas as obtaining management buy-in and measuring the success of your awareness programme. (The author uses repetition in this chapter explicitly as a teaching aid.)‘Low Tech Hacking’ consists of 225 pages of text, supported by the usual introductory material and a reasonably comprehensive index. In fact, because the print is quite small and closely packed, the book seems longer. Several of the chapters include photographs, many of which have a slightly dated appearance.

The standard of proof reading is generally poor. Some chapters contain enough errors to be irritating – especially where they alter the sense of what the author intended. This is somewhat ironic, given that Sean Lowther (albeit by no means the worst offender) includes a section in his chapter headed: The importance of a good editor.

This book, adopting a wide interpretation of “hacking”, focuses mostly on social engineering and physical security penetration, with chapters on wireless exploits and security awareness training thrown in for good measure. It contains little that will be new to a security professional, but seems aimed at a rather wider audience.

Marks: 2 out of 5**