18 Books on Hacking for $30! (5-9)

This series of posts reviews each title in a 18-for-$30 Humble bundle on Hacking. I already covered the first four books. The rummage continues: here come the next five!

"Crypto Dictionary" is quite a bit more fun than reading a phone book (heh, remember those?), but I had to think hard about what the target audience would be. The best idea I came up with: perhaps the dictionary has a place in the lobby of a tech VC firm, where founders waiting to make their blockchain pitch can casually browse and look up terms they are not familiar with.

"Cyberjutsu" takes published sources about the tactics, techniques, and procedures (TTPs) used by ninja in feudal Japan and applies them to modern cybersecurity (with handy mappings to NIST SP 800-53). From building [network] maps and identifying and guarding weak spots, to insider threats and covert channels, it is intriguing how warfare principles documented in the middle ages are still relevant today with an appropriate interpretation. This is a general interest title that folks with some IT background will find very readable: if you are familiar with the technical (non-security) context, the cybersecurity overlay will snap easily in place thanks to each included concept's rooting in ninja lore, while the specific mappings to NIST controls will give you a starting point to build on.

"The Art of Cyberwarfare" details major cyber exploits from the last two decades or so, with a focus on those driven or sponsored by nation-states as well as major criminal organizations. It is an enjoyable and engaging narrative which, in the second part, evolves into a discussion of actual techniques and culminates into a hypothetical case study. Most of the techniques discussed revolve around email exploitation and C&C channels: don't expect the book to be a complete and deep guide into the discipline, but rather a good reference on the evolution and current state of high-profile cyberwarfare, combined with sufficient coverage of technical aspects to get you started on analyzing actual incidents from forensic data including email headers, domain registrations, and malware samples.

"Ethical Hacking" intends to take beginners through a crash course in hacking, and my assessment is that it succeeds in accomplishing that, at least on some level: it covers good ground in terms of the variety of tools available to a hacker, but assumes some fundamental knowledge from the reader while investing a fair number of pages on relatively trivial matters. For example, the section on root kits in the second half of the book switches to the C language abruptly and uses it for an example kernel module implementation; this is the kind of approach that can make a budding hacker dangerous to themselves and not necessarily effective. In summary, the book offered me a couple of interesting pointers to tools that I'd like to read more about and experiment with (e.g. Maltego, DSE frameworks), but if you are a novice, avoid simply following the recipes and make sure you take the time to understand what you don't know, before and after working through this book: if you got the bundle, I'd recommend "Hacking: The Art of Exploitation" as your first book; read "Ethical Hacking" afterwards.

??"Designing Secure Software" targets software engineers without background in security as its ideal audience, even though I found several useful bits in it too: notably the diagram of secure software patterns (Figure 4-1) or chapters 6 and 7, which can help guide security teams in their interactions with stakeholders. This is the kind of book that I could see fitting well in our office Product Security library at Zoox ; it can easily be the first part in a reading sequence, with Adam Shostack's "Threat Modeling: Designing for Security" as a more specialized follow-up.

This post concludes the general hacking and security titles in the bundle. The next installment (UPDATE: now live as part 3) will be about area-specific texts: on Web Application Security, IoT, Car Hacking, API hacking and so on.