***** Black Hat Physical Device Security: Exploiting Hardware and Software. By Drew Miller and Rob Shein; published by O’Reilly Media, www.oreilly.com (Web); 448 pages; $49.95.
With the profusion of computer security books on the market, it’s refreshing to find one with a unique perspective: the technological gadgets that hook into and interact with your computer. These devices are inherently insecure, the authors say, so it is important for developers and engineers to change their ways and integrate security early in the development process. For end users who already have the vulnerable devices, the authors offer advice on fixing their holes.
One Web-based video camera system described in the book was released with a flaw that would allow a misspelled Web address to bypass all authentication mechanisms in the system, granting the user full administrative access to the devices. The patch issued to fix the problem, the authors say, was just as vulnerable. The lesson from this incident: “[B]efore you buy that nifty gadget, you need a third party to perform an audit of it. You must ensure the security of the device before trusting it to ensure the security of your data and personnel.”
Among topics covered in the book are cryptography and encryption, authentication, secure communications, secure program development, mitigation of exposures, and the monitoring and detection of deviations. One of the best features is a set of three review sections at the end of each chapter: Summary, Solutions Fast Track, and Frequently Asked Questions. An appendix called Terms in Context is also valuable.
If only the presentation of the material were as solid as the substance itself. Unfortunately, the text is riddled with typographical and grammatical errors, as well as other editorial goofs, such as thoughts that end in mid-sentence (“…the processes can be applied to security devices such as fingerprint scanners and other”). These make the book at times confusing and hard to follow.
Reviewer: John Mallery is a managing consultant for the firm BKD, LLP, where he is responsible for managing the firm’s computer forensics services. He is also coauthor of Hardening Network Security, published by McGraw-Hill. He is a member of the ASIS Information Technology Security Council.