BKZRDYTH.RVW 20090120 "Zero Day Threat", Byron Acohido/Jon Swartz, 2008, 978-1-4027-5695-5, U$19.95/C$21.95 %A Byron Acohido %A Jon Swartz %C 1 Atlantic Ave, #105, Toronto, ON, Canada M6K 3E7 %D 2008 %G 978-1-4027-5695-5 1-4027-5695-X %I Sterling Publishing Co., Inc. %O U$19.95/C$21.95 800-805-5489 specialsales@sterlingpublishing.com %O http://www.amazon.com/exec/obidos/ASIN/140275695X/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/140275695X/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/140275695X/robsladesin03-20 %O Audience n Tech 1 Writing 2 (see revfaq.htm for explanation) %P 297 p. %T "Zero Day Threat" The title here is definitely misleading: the authors have just taken a sensational term and stuck it on a book about "the shocking truth of how banks and credit bureaus help cyber crooks steal your money and identity." Now, as a malware researcher, I'm delighted to see them state, right off the top, the rather bitter truth that security is in such a sorry state because the general populace demands convenience over security, and major companies are willing to give it to them. I'm not quite as happy to find that Acohido and Swartz don't fully understand what a zero day threat actually is. I'm willing to suspend judgment for a while based on their very useful division of each chapter into exploiters (traditional blackhats and opportunists), enablers (those who build weak infrastructures), and expediters (those who, in various ways, make the problem worse). It's good to see that the authors aren't just retailing the common "oooh, teenage hackers!" stories, and realize that the situation is complex, and involves the interacting behaviours of many different parties. The synergy of this approach is not demonstrated in chapter one. Of the three parts of the chapter, the first talks about some drug addicts involved in dumpster diving for credit card and bank account information, the second briefly notes the speed and volume of credit card transactions, and the third examines a few of the malware instances around the year 2000. It is not clear what these have to do with each other. Subsequent chapters follow up on these stories. The tales start to interweave at about chapter five, but few connections are made between the items in the content, and those that do exist seem to be almost random. A final chapter in the book, eighteen, is entitled "What Must Be Done." Unfortunately, it is overly broad, and not very specific, reducing to an assertion that we need better financial activity oversight and review, better Internet infrastructure, and better security in operating systems and other software. Appendix A, on personal security, contains a fairly pedestrian collection of advice on credit card, financial, computer, and Internet security. All of the recommendations would help increase the safety of most people: sadly they do not exhaust the possible avenues of attack, and many of the suggestions are not completely within the capability of the average user. (For example, yes, it is a good idea to use strong passwords that are long, and contain a mix of characters, and to change those passwords on a regular basis. The trick is to teach people ways of creating passwords such that the user can remember them, and attackers can't. As a second instance, it is dangerous to click on any banner ad or popup window: what proportion of those who use the Internet regularly can identify those entities when they appear?) Acohido and Swartz demonstrate, as David Rice did in "Geekonomics" (cf. BKGKNMCS.RVW), that financial entities have little incentive either to take serious steps to reduce electronic fraud, or to protect consumers (or merchants) from losses due to fraudulent transactions. The authors have done an excellent job of research in the narrative, at least as far as events in the public record are concerned. There is also evidence of commendable exclusive investigation to confirm or enhance specific areas. Unfortunately, the technical material has little depth, and is somewhat suspect when dealing with specialized areas. Overall, the stories of the blackhat community are entertaining, the tales from the financial world emphasize dangers that should be stressed, and the narratives from the malware environment provide a history (more social than technical) of major recent infestations. The work contains a wealth of stories that could be used to promote security awareness, but doesn't otherwise provide a significant source of security assistance. copyright Robert M. Slade, 2009 BKZRDYTH.RVW 20090120