BKDBHKHB.RVW 20060913 "The Database Hacker's Handbook", David Litchfield/Chris Anley/John Heasman/Bill Grindlay, 2005, 0-7645-7801-4, U$50.00/C$64.99/UK#31.99 %A David Litchfield %A Chris Anley %A John Heasman %A Bill Grindlay %C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8 %D 2005 %G 0-7645-7801-4 %I John Wiley & Sons, Inc. %O U$50.00/C$64.99/UK#31.99 416-236-4433 fax: 416-236-4448 %O http://www.amazon.com/exec/obidos/ASIN/0764578014/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0764578014/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0764578014/robsladesin03-20 %O Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation) %P 500 p. %T "The Database Hacker's Handbook: Defending Database Servers" In the brief and disjointed preface and, similarly, introduction (two pieces which could easily have been combined), we are told that the book is intended for database administrators, network administrators, security auditors, and security professionals. However, there are implications, right from the start, that this is a "hack to secure" book and that, instead of real database security, we are going to be dealing only with server engine bugs. Part one is an introduction. Chapter one is supposed to tell us why we should care about database security, but instead still seems to be dancing around the issue of bugs in engine code, and particularly the bugs that the authors (and their relatives) have found. Part two is about Oracle. Chapter two tells us something of the oracle architecture, obfuscated by packet dumps and pages of code for programs to attack parts of the system. More of the same is in chapter three, and, from the examples, it is not always clear how some of these "attacks" differ from the simple ability of authorized users to make changes to the system. Possible operating system and network attacks related to Oracle's command system are outlined in chapter four. Chapter five recommends various configurations and options for making an Oracle database server more secure. Part three looks at DB2. Chapter six is an introduction to the product (and pages of code for an authentication request). Then there are more pages of programming for finding a DB2 server (chapter seven) and attacking it (eight). Chapter nine is a terse mention of some factors to consider when securing the system. Part four reviews Informix, with architecture (ten), attack code (eleven), and configuration for security (twelve). Sybase gets the same treatment in part five. This time the code (in chapter fourteen) just gets the version number and chapter fifteen looks at commands that can be passed to the network. The popular MySQL is dealt with in part six. Since the product is open source, the examination of the architecture, in chapter seventeen, is more detailed and the advice on configuration, in chapter twenty, is equally extensive. Part seven chooses SQL Server as its topic. Architecture, attack, hardening: no surprises. Part eight turns to PostgresSQL. Same. OK, we get it. Unpatched applications have holes. Big surprise. The authors have provided very little that will be of use to database administrators, network administrators, security auditors, and security professionals. copyright Robert M. Slade, 2006 BKDBHKHB.RVW 20060913