Zero Day Exploit: Countdown to Darkness

Zero Day Exploit calls our attention to an all too often under reported reality: We live in a high risk society where our digital infrastructure is extremely vulnerable to certain kinds of attacks. I want to thank the author, Rob Shein, for producing a work of fiction that helps focus our attention on these contemporary risks, without being too shrill about them. This book I would recommend to my friends and clients alike as a nice change of pace to their usual reading choices. Paul McCubbin, Senior Consultant Forsythe Solutions Group

Defending against external Internet threats and attacks is a daunting task at best. When coupled with internal politics and Byzantine contracting rules, you may as well put a "kick me" sign on your back. Before the days we became dependent on computers and networking for everyday tasks, the risks were not as great. When terrorism is added to the formula, there has to be a recognition that the days of finger-pointing and excuses are no longer acceptable. In Zero-Day Exploit: Countdown to Darkness (339 Pages, Syngress Press, 2004, ISBN 1931836094), Rob Shein, David Litchfield, and Marcus Sachs present an account of one possible attack scenario. Like most fiction, you will have to ask yourself if the scenario in the book is possible at all. But the answer you give yourself may not be adequate. After all, who else except for the Able Danger team thought 9/11 was a real possibility? What makes this book different from others that I have read, the authors bring a real world perspective of Washington, DC politics and the challenges brought by the divide between employees and federal contractors, as well as what happens when people put their own career self-preservation above doing the right thing. Think this is not possible in today's environment? Think again. Having spent 12 years as a federal acquisition professional, I saw it every day, and I know what happens to people who buck the system. The book does get bogged down early with its detailed narrative of a DefCon convention, and I am not sure that it adds much to the book. The authors do manage to put useful information within this section, but the overall section was so dry I almost closed the book a few times. But then it picked up steam and I could not put it down until I finished it. Given my background, it was very interesting to see what I had experienced first hand (and still do as an IT consultant and auditor), knowing full well the damage those interactions alone can cause. The technical information presented is good, but not so deep that a nontechnical reader will get lost or bored (except perhaps for the DefCon section). As the story unfolds, the authors do a very good job showing how the emotion of a situation can lead to blaming the wrong person (in this case the programmer of the faulty software) instead of the circumstances that lead to the faults outside of his control (See my review of Secure Coding - Principles and Practices for more on this topic). The book is not cheap and may be a bit pricey for the content, but that does not mean it is not worth reading. Who Should Read This Book? IT Audit professionals, bureaucrats, and programmers/developers will all gain benefit from reading this book. It is not really a good read for other people because they may take the wrong message from it. Scorecard Par on Long Par 4

Zero-Day Exploit: Countdown to Darkness is an exciting novel of suspense. The trade paperback format is curiously reminiscent of computer tutorial manuals, and indeed there is a strong moral concerning the laws of cyber-security (such as "security through obscurity does not work" and "if a key is not required, you do not have encryption - you have encoding" yet the heart of story is a cyber-thriller novel. Written in bite-sized chunks of action organized by date, the saga traces the exploits of a group of hackers who found infiltrating target corporation software remarkably easy. Featuring a forward by the President and CEO of Black Hat, Inc., and written by one of the world's leading counter-terrorism expert who takes pains to present an authentic account Zero-Day Exploit is a cyber-terrorist saga reflecting the cutting edge of the 21st century.

I'm seeing more security books come out in the style of cyber-novel. The latest one is called Zero-Day Exploit - Countdown To Darkness by Rob Shein. While not on par with Tom Clancy material, it does quite well and should appeal to the cyber-geek in all of us. In the novel, two security programmers (both geeky but pretty normal) are hired to do a security audit on a new VPN product to be used by the Department of Justice. They quickly find two exploitable bugs (denial of service and buffer overflow) and report the situation. But as often happens in real-life, politics and CYA cause the findings to be minimized and the software is installed anyway with a promise to fix the software later. Of course, it doesn't get done. Meanwhile, Islamic idealists enlist the help of two hackers in the Phillipeans to scan networks looking for this VPN package as well as some industrial software so that a cyber-attack can be launched against the US. The original security audit team (this is years later) notices the increase in port scans for the VPN package and try to alert the DoJ. But until the attack actually occurs, no one will listen. Once all hell breaks loose, its them against the hackers. This is more of a novel and less of a security primer than books like Steal The Box. The author does go into detail on the technology, but not to the point of putting pages and pages of screen prints in the book. It's all part of the story dialog and action. The second member of the team ("MadFast") starts just about each sentence with "Right on", so don't expect outstanding dialogue. But then again, this would be closer to reality if you were listening and watching real computer geeks/hackers. A reader experienced in security will be entertained (but won't learn much), but others less tied into computer security may have their eyes opened as to dangers that are very real. While not perfect, I still liked it a lot. Definitely worth a read...

The back cover calls this book "a must read cyber thriller." It's right--the book features real places like the Defcon tradeshows in Vegas to Washington, D.C. hotspots and the slums of Manila where a group of terrorists sprouts, grows, and plans to take over US-based computers using a zero day bug. The story centers around a security expert named Reuben who tries to stop the bug from being exploited, trying to convince governments, colleagues, and a vendor who is loathe to believe they have a faulty product. Pretty cool stuff.