BKCURRY.RVW 930802 Addison-Wesley Publishing Co. 1 Jacob Way Reading, MA 01867-9984 800-527-5210 617-944-3700 5851 Guion Road Indianapolis, IN 46254 800-447-2226 "Unix System Security - A Guide for Users and System Administrators", David A. Curry, 1992, 0-201-56327-4 davy@ecn.purdue.edu What do you say about a computer security book that has a cartoon of a cute little devil on the cover? Well, in this case, the cover hides a competent and fairly thorough treatment of security on UNIX systems. Nothing terribly surprising, but a step-by-step exploration of the various aspects of UNIX security, potential threats, and suggestions to reduce the level of vulnerability. Chapter one is there to scare you. The well-known stories of the Internet Worm, Cliff Stoll's "wily hacker", Ken Thompson's demonstration of how to hack a trap door into the C compiler, and some experiments in UNIX viral programs are listed. The descriptions are brief, but with sufficient detail to point out the means of attacking systems through unusual loopholes. Chapters two, three and four deal with the basics of security, covering accounts and passwords, file system security, and, finally, network security. Coverage of individual topics is sometimes terse, but the examples and suggestions are generally clear and practical. Chapter five extends network security to some specialized applications, while chapters six and seven deal with workstations, terminals, modems, UUCP and related matters. The remaining chapters, although they have a number of UNIX specific suggestions, deal with more general security issues. Responses to make to intruders and detected break-ins are discussed in chapter eight. Chapter nine covers encryption and authentication concepts and systems. Chapter ten returns to managerial issues with some thoughts on security policies. Chapter eleven becomes system specific again with security software listings. Finally, chapter twelve lists sources and resources for further information. Of the appendices, two contain source code for security programs; one for a password "cracker", and another for checking the file system. "A Kerberos Dialogue" deals not with the actual Kerberos system dialogue, but is a "playlet" describing some of the Kerberos concepts. There is also a security policy and checklist included. The subtitle explains that the book is "A Guide for Users and System Administrators" and the preface further provides that the attempt has been made to provide sufficient information that administrators can protect their systems, while not giving away details that can help crackers. By and large the book succeeds. The book is clear and simple enough that users (intelligent ones, anyway) should be able to understand the concepts and need for security. System administrators will find a fairly comprehensive overview of the topic. (Some areas, such as the reading list, could use a bit more material, but there is, at least, a "good start".) "Crackers" may find some help (such as the password cracking program), but definitely won't be able to use this as a "cookbook". copyright Robert M. Slade, 1993 BKCURRY.RVW 930802 ====================== DECUS Canada Communications, Desktop, Education and Security group newsletters Editor and/or reviewer ROBERTS@decus.ca, RSlade@sfu.ca, Rob Slade at 1:153/733 Author "Robert Slade's Guide to Computer Viruses" (Oct. '94) Springer-Verlag