Sommaire: Cours maximum internet security: A hackers guide
I Setting the Stage
1 -Why Did I Write This Book?
2 -How This Book Will Help You
3 -Hackers and Crackers
4 -Just Who Can Be Hacked, Anyway?
II Understanding the Terrain
5 -Is Security a Futile Endeavor?
6 -A Brief Primer on TCP/IP
7 -Birth of a Network: The Internet
8 -Internet Warfare
10 -Password Crackers
13 -Techniques to Hide One’s Identity
14 -Destructive Devices
IV Platforms and Security
15 -The Hole
17 -UNIX: The Big Kahuna
21 -Plan 9 from Bell Labs
V Beginning at Ground Zero
22 -Who or What Is Root?
23 -An Introduction to Breaching a Server Internally
24 -Security Concepts
VI The Remote Attack
25 -The Remote Attack
26 -Levels of Attack
28 -Spoofing Attacks
29 -Telnet-Based Attacks
30 -Language, Extensions, and Security
VII The Law
31 -Reality Bytes: Computer Security and the
31 -VIII Appendixes
Appendix A -How to Get More Information
Appendix B -Security Consultants
Appendix C -A Hidden Message About the Internet
Appendix D -What’s on the CD-ROM
Extrait du cours maximum internet security: A hackers guide
Why Did I Write This Book?
Hacking and cracking are activities that generate intense public interest. Stories of hacked servers and downed Internet providers appear regularly in national news. Consequently, publishers are in a race to deliver books on these subjects. To its credit, the publishing community has not failed in this resolve. Security books appear on shelves in ever-increasing numbers. However, the public remains wary. Consumers recognize driving commercialism when they see it, and are understandably suspicious of books such as this one. They need only browse the shelves of their local bookstore to accurately assess the situation.Books about Internet security are common (firewall technology seems to dominate the subject list). In such books, the information is often sparse, confined to a narrow range of products. Authors typically include full-text reproductions of stale, dated documents that are readily available on the Net. This poses a problem, mainly because such texts are impractical. Experienced readers are already aware of these reference sources, and inexperienced ones are poorly served by them. Hence, consumers know that they might get little bang for their buck. Because of this trend, Internet security books have sold poorly at America’s neighborhood bookstores.
Misconfiguration of the Victim Host
The primary reason for security breaches is misconfiguration of the victim host. Plainly stated, most operating systems ship in an insecure state. There are two manifestations of this phenomenon, which I classify as active and passive states of insecurity in shipped software.
The Active State
The active state of insecurity in shipped software primarily involves network utilities. Certain network utilities,when enabled, create serious security risks. Many software products ship with these options enabled. The resulting risks remain until the system administrator deactivates or properly configures the utility in question. A good example would be network printing options (the capability of printing over an Ethernet or the Internet). These options might be enabled in a fresh install, leaving the system insecure. It is up to the system administrator (or user) to disable these utilities. However, to disable them, the administrator (or user) must first know of their existence.
You might wonder how a user could be unaware of such utilities. The answer is simple: Think of your favorite word processor. Just how much do you know about it? If you routinely write macros in a word-processing environment, you are an advanced user, one member of a limited class. In contrast, the majority of people use only the basic functions of word processors: text, tables, spell check, and so forth. There is certainly nothing wrong with this approach. Nevertheless, most word processors have more advanced features, which are often missed by casual users.
The Passive State
The passive state involves operating systems with built-in security utilities. These utilities can be quite effective when enabled, but remain worthless until the system administrator activates them. In the passive state, these utilities are never activated, usually because the user is unaware that they exist. Again, the source of the problem is the same: The user or system administrator lacks adequate knowledge of the system.
To understand the passive state, consider logging utilities. Many networked operating systems provide good logging utilities. These comprise the cornerstone of any investigation. Often, these utilities are not set to active in a fresh installation. (Vendors might leave this choice to the system administrator for a variety of reasons. For example, certain logging utilities consume space on local drives by generating large text or database files. Machines with limited storage are poor candidates for conducting heavy logging.) Because vendors cannot guess the hardware configuration of the consumer’s machine, logging choices are almost always left to the end-user
System Flaws or Deficiency of Vendor Response
System flaws or deficiency of vendor response are matters beyond the end-user’s control. Although vendors might argue this point furiously, here’s a fact: These factors are the second most common source of security problems. Anyone who subscribes to a bug mailing list knows this. Each day, bugs or programming weaknesses are found in network software. Each day, these are posted to the Internet in advisories or warnings.
Unfortunately, not all users read such advisories. System flaws needn’t be classified into many subcategories here. It’s sufficient to say that a system flaw is any element of a program that causes the program to Work improperly (under either normal or extreme conditions) l
Allow crackers to exploit that weakness (or improper operation) to damage or gain control of a system .
Why Education in Security Is Important
Traditionally, security folks have attempted to obscure security information from the average user. As such,security specialists occupy positions of prestige in the computing world. They are regarded as high priests of arcane and recondite knowledge that is unavailable to normal folks. There was a time when this approach had merit. After all, users should be afforded such information only on a need-to-know basis. However, the average
American has now achieved need-to-know status. So, I pose the question again: Who needs to be educated about Internet security? The answer is: We all do. I hope that this book, which is both a cracker’s manual and an Internet security reference, will force into the foreground issues that need to be discussed. Moreover, I wrote this book to increase awareness of security among the general public. As such, this book starts with basic information and progresses with increasing complexity. For the absolute novice, this book is best read cover to cover. Equally, those readers familiar with security will want to quickly venture into later chapters.
The Corporate Sector
For the moment, set aside dramatic scenarios such as corporate espionage. These subjects are exciting for purposes of discussion, but their actual incidence is rare. Instead, I’d like to concentrate on a very real problem:cost.
The average corporate database is designed using proprietary software. Licensing fees for these big database packages can amount to tens of thousands of dollars. Fixed costs of these databases include programming, maintenance, and upgrade fees. In short, development and sustained use of a large, corporate database is costly and labor intensive.
When a firm maintains such a database onsite but without connecting it to the Internet, security is a limited concern. To be fair, an administrator must grasp the basics of network security to prevent aspiring hackers in this or that department from gaining unauthorized access to data. Nevertheless, the number of potential perpetrators is limited and access is usually restricted to a few, well-known protocols.
Folklore and common sense both suggest that government agencies know something more, something special about computer security. Unfortunately, this simply isn’t true (with the notable exception of the National Security Agency). As you will learn, government agencies routinely fail in their quest for security. In the following chapters, I will examine various reports (including one very recent one) that demonstrate the poor security now maintained by U.S. government servers. The sensitivity of data accessed by hackers is amazing.
These arms of government (and their attending institutions) hold some of the most personal data on Americans More importantly, these folks hold sensitive data related to national security. At the minimum, this information needs to be protected.
Si le lien ne fonctionne pas correctement, veuillez nous contacter (mentionner le lien dans votre message)
Cours maximum internet security: A hackers guide (2989 KO) (Cours PDF)