46 of 51 people found the following review helpful
James J. Lippard
- Published on Amazon.com
Spies Among Us is in many ways similar to Winkler's previous book, Corporate Espionage. It describes threats and vulnerabilities, gives case studies of attacks and penetrations (some malicious by miscreants, some as part of his own testing), and offers countermeasures and lessons learned.
The book is divided into three parts--Part I is on "Espionage Concepts," which describes the intelligence process, forms of information, risk equations, how security's components are confidentiality, integrity, and availability, how to measure asset values, and so on. Part II is "Case Studies" and is the most interesting and original portion of the book. Part III is "Stopping the Spies," about specific vulnerabilities and countermeasures.
As in the previous book, Winkler's advice is sound and the case studies are interesting. Unfortunately, much of the book duplicates the prior book and other books in the field, which is part of why it took me three months to get through this book--I got hung up in Part III, which was mostly old hat.
What I found most disappointing about the book beyond its lack of novelty were two features: first, that there were frequent errors and omissions which seemed a display of either lack of research or carelessness; second, that Winkler takes many opportunities to tell the reader that he's involved in important things, but without showing the evidence for it.
Examples of the first include not only simple things like typos that should have been caught by the editor (p. xv "phased" for "fazed", p. xvi "over" for "cover"), but factual errors. On p. 55 he writes of the 1996 blackout of "nine states of the Pacific Northwest." There aren't nine Pacific Northwest states, and there were two Western U.S. 1996 blackouts caused by power lines sagging to trees, an Idaho/Wyoming line on July 2 affecting 14 Western states and a California line on August 10 affecting states from Oregon to Mexico and Texas.
On p. 78 he gives estimates of the number of people with various hacking skills which appear to have been pulled from a hat; I suspect his estimate of 100,000 people capable of developing hacking tools from knowledge of vulnerabilities is a substantial underestimate.
On p. 81 he claims that, contrary to other countries, the U.S. government intelligence agencies don't pass information back to U.S. companies. While this is official policy, counterexamples may be found (e.g., the book Friends in High Places discusses information flow in both directions between the CIA and the Bechtel corporation in the Middle East).
On p. 143, Winker writes that "There has supposedly been only one day zero attack, which is an attack that exploits a vulnerability that was not previously reported and known." No reference (though I suspect he's referring to a successful 2003 attack on Microsoft IIS against the U.S. Air Force prior to the March 13, 2003 release of MS03-007), and surely false, if by "reported" he means reported to the general public, e.g., via a published security advisory.
Omissions include his discussion on p. 93 of Israeli intelligence actions against U.S. corporations, where he says "an Israeli telecommunications [company, sic] acquired a U.S. domestic carrier" and "now has control and access to the phone lines of many companies," but doesn't name the company. Why not? Isn't this something of importance for U.S. companies to be aware of? (Perhaps he is referring to Verint, formerly Converse Infosys.)
Similarly, on p. 94 he writes that "There are also the recent charges of a Pentagon official who passed classfieid documents to Israel through a political lobbying group," but omits any details, even though these charges against Lawrence Franklin, who worked under Douglas Feith at the Pentagon, were well known (and Franklin has since confessed).
On p. 95 he writes of a German intelligence project, Project Rahab, that "one of [its] major reported successes includes infiltration of the SWIFT system, which is one of the world's major financial networks." Again, no references--in this case, the allegation probably comes from Timothy Haight's article "High Tech Spies" in the July 5, 1993 issue of Time magazine (p. 24), regarding the BND (German intelligence) use of a virus written by Chaos Computer Club member Bernd Fix. According to Fix (search the web for Rahab, SWIFT, and Bernd Fix and you'll find his commentary on this), there have been a lot of wild claims made, and he can't vouch for any of them. Any of these omissions could have been elaborated on and made the book much more interesting.
Winkler's self-aggrandizing can be found at a number of points throughout the book, such as on p. 84 where he writes that a small literary agency can represent people "some of whom (such as myself) have access to sensitive information." My favorite example is on p. 121 under the heading "personal aggrandizement," where Winkler writes that "An individual's desire to impress others has caused some of the biggest security problems in history." In the very next paragraph, he writes, "As I mention in the Introduction, one of my female friends was a CIA operative who posed in Playboy magazine."
Still, the book is worthwhile for a solid collection of vulnerabilities and countermeasures if you don't already have one, and the case studies are enjoyable (some of which are from Winkler's direct experience, others of which are reports of cases which have been reported on elsewhere, such as Alexey Ivanov in chapter 10 and Abraham Abdallah in chapter 11). One weakness of chapter 13 ("Taking Action", about setting up a security program and implementing countermeasures) is that it gives short shrift (p. 304) to measurement of effectiveness and the security life cycle.
8 of 8 people found the following review helpful
Dr. G. Hinson
- Published on Amazon.com
Read this book to appreciate what is (or should be) keeping your Information Security Manager awake at nights, and to understand what he/she probably wants (or ought) to do about it.
Ira learnt his trade working for the US National Security Agency. His spooky background provides a somewhat disturbing undercurrent throughout the book but this is neither a James Bond training manual nor a shock horror exposé of the murky world of spies. It is in fact a very broad exposition highlighting the urgent need for all organizations to implement suitable information security controls.
Chapter five "How the spies really get you" should be compulsory reading for all managers. In less than fifty pages, Ira explains how virtually anyone in or associated with the average organization may represent a vulnerability, some more than others. I challenge any experienced manager to read this chapter without thinking about probable weaknesses in their own organization, perhaps even in their own departments.
If chapter five piques your interest, I guarantee you will enjoy the rest of the book. The previous four chapters set the scene, explaining that information security is far more than simply a matter of implementing system/network access controls. The next six chapters (part II of the book) present compelling case studies built (we are told) around genuine real-world situations. Ira is known for describing attack methods quite explicitly, meaning that having read the case studies, you will be in a similar position to those who actually committed these attacks. Each case concludes with a description of the vulnerabilities exploited.
The final two chapters (part III) attempt to redress the balance by explaining how to address the risks presented in the rest of the book and so `stop the spies'. Given the broad nature of the threats and vulnerabilities described in parts I and II, it would be unrealistic to expect to get a complete set of answers in just two short chapters ... but that would miss the whole point of the book. Part III gives an overview of the main elements of most information security programs. In one, two or occasionally three paragraphs, Ira explains what the average Information Security Manager actually means by concepts such as single sign on and defense in depth.
This book should provide a wake-up call to complacent managers who feel their organizations are somehow immune to industrial espionage, social engineers and even terrorist infiltration.
6 of 6 people found the following review helpful
- Published on Amazon.com
So just how safe are you and your company/organization? My guess is, not very. Spies Among Us by Ira Winkler will definitely drive home that fact...
Part 1 - Espionage Concepts: How To Be A Spy; Why You Can Never Be Secure; Death By 1000 Cuts; Spies And Their Friends; How The Spies Really Get You
Part 2 - Case Studies: Spy vs. Spy; Nuclear Meltdown; Fill'er Up!; The Entrepreneur; The Criminal Face Of The Internet Age; Crimes Against Individuals
Part 3 - Stopping The Spies: Taking Control; Taking Action; Index
Winkler is someone who does "attacks" for a living. He routinely is hired by companies to do threat assessment on their systems and locations, and unfortunately he is often successful with far too little effort. These assessments could be just a simulated attack to gain access to secured locations and systems that could then be compromised, clear up to security of nuclear facility information and terrorist attacks on fueling facilities at airports. It's that last one that is scary, in that it was done in a post-9/11 environment, and went off without a hitch. We're just not in the "security mindset" in most cases.
But rather than just go on about how easy it is to hack and crack systems, he also offers plenty of advice on how best to build a security program that is effective (both from a cost and result perspective). Each of the case studies ends with a summary that shows how something like this could happen, as well as what vulnerabilities were found and exploited. That piece by itself would be worth the cost of the book. But the final two chapters are where you'll benefit most. Winkler covers a multitude of counter-measures (personnel, physical, operational, technical) that can be implemented in order to have a more secure environment. The final chapter then explains how to implement a comprehensive program based on the value of your information and the amount of risk present. Rather than just saying "do this, this, and this", you get a customized approach based on your own unique situation. Really good stuff...
As he states early on in the book, there's no way to be 100% safe and secure. But you can do far more than "hope for the best". This is the book that can help you understand just how dangerous things can be and how at risk you are...
13 of 17 people found the following review helpful
Dr Anton Chuvakin
- Published on Amazon.com
Ira Winkler's "Spies Among Us" finally cleared my head on the subject of ... oooh, so horrible ... " cyberterrorism." Intuitively, when you read about "cyberterrorism" you instantly think "what a load of bull", but the amount of press and "research" that you see coming about it, makes one wonder. As a result, I was somewhat confused about the subject. Until now! Ira's book finally cleared it: at this stage, "cyberterrorism" is positively, absolutely, 100% "bull product." Here is why: computer failures are an accepted thing. "Everybody knows" that computers "are flaky", and might crash at any time, taking your work (or a billion-dollar Martian probe :-)) with them. Thus, computers do a pretty good job damaging themselves and things around them, and, thus, people will not be terrified if it happens due to malicious actions by whatever cyber-terrorists. Now, the above obviously doesn't cancel the use of computers and the Internet by the terrorists, but this is not what is commonly understood as "cyberterror."
So, the book is fun! The book starts from "espionage concepts" and continues on to case studies (the most fun part!) and countermeasures parts.
"Spies among us" also highlight some commonly overlooked truths in the security arena, such as that users' errors are more damaging, in aggregate, than all the malevolence of all the spies in the world. Acts of God, not "hackers", run a close second. Also, the section on countermeasures really stresses the point that many a sophisticated attack was ruined by the simplest countermeasures, applied deliberately and consistently.
Among other things, I loved the insider profiling bit, where the profile of the hardest working employee matches that of a "typical industrial spy." I also liked his country by country espionage coverage, such as how are Russian spies different from Chinese spies :-)
Overall, while the book clearly aims at a non-technical audience, even seasoned security professionals will benefit (or at least will have fun reading it), if not from the information, but from reliving Ira's experiences ("Can your organization be penetrated THIS way?"). Everybody related to security (and many who are not) should get the book!
Dr Anton Chuvakin, GCIA, GCIH, GCFA is a recognized security expert and book author. In his current role as a Security Strategist with netForensics, a security information management company, he is involved with defining future features and conducting security research. A frequent conference speaker, he also represents the company at various security meetings and standard organizations. He is an author of a book "Security Warrior" and a contributor to "Know Your Enemy II", "Information Security Management Handbook" and the upcoming "Hacker's Challenge 3". Anton also published numerous papers on a broad range of security subjects. In his spare time he maintains his security portal at info-secure.org and two blogs.
4 of 5 people found the following review helpful
T. M. Urquhart Jr.
- Published on Amazon.com
In the first couple of chapters, I realize that this is not a novel of spy vs.spy, but an actual resource book that makes 100 % sense.
Mr. Winkler is speaking from experience and his background denotes a lot of it. I was very impressed with his style of writing and the material he covers. If anyone wants a career in Computer Security or Information Assurance, this book is a definite MUST READ and MUST HAVE in your library.