Review of Black Hat Python by Justin Seitz

Back with another one of those block rockin (beats) book reviews. This time, up for review is Black Hat Python by Justin Seitz. Yes, this is the same Justin Seitz who wrote Grey Hat Python. I’ll just come right out and say it: (TL;DR) 4 out of 5 stars.

Audience

This is not a beginner book. It assumes a lot of basic knowledge about security, networking, and Python. It’s also not an expert’s book as most of the stuff you can find online (if you know where to look). I’d put this book at somewhere inbetween intermediate and advanced. If you have a general idea of computer security, hacking, pen testing, etc and a little knowledge (but aren’t an expert) in Python, you’ll enjoy this book.

The 4 of the 5 stars

It just so happens that I fit the audience for this book pretty well. I’m by no means a security expert, nor do I work in the field (I wish), but I feel like I have a good handle on it. Likewise, although I know Python and could probably ‘get-by’ programming something in it, I don’t use it often enough to feel super comfortable using it.

The book is kind of a large collection of example scripts that you might use while hacking or pen testing. The Python code is at an intermediate level/advanced level and as I mentioned not being very good at Python, I had to look up several references. (Side Note: that there are a few syntax typos in the book but nothing that shouldn’t be easy to fix.)

You might think that a book with a bunch of example code is kind of lame because you can just look it up online, but it turns out to be pretty useful. I think one of the hardest parts of programming is figuring out where to start. With these examples, you can copy the code and build on it from there. For example, I’ve actually always wanted to write a sniffer just to see how they work. The book takes you through writing a very simple sniffer that you could easily build on.

Perhaps what I enjoyed most about the book was that it got me excited about writing my own Python code for security tools. I guess you could say that it sort of motivated me or put me in the mindset to want to try doing it on my own instead of using everyone else’s tools!

The missing star

I didn’t think I’d ever say this about a book but I think my overall complaint is the length. It’s too short and there are several areas where the author could have expanded/explained things. For instance, with the Scapy library that it teaches you how to use, I was confused with how the ARP poisoning worked until I figured out that because the hardware src was not an argument to the ARP() class, it was set by default to the machine’s mac address (key to the arp poisoning). I was also confused with the / notation for composing packets until I read the Scapy docs

It’s kind of funny, the book can be a bit bipolar at times. One chapter you’re reading it thinking that this type of knowledge would be good for pen testing. The next chapter, you’re thinking, wow, this is real “bad guy” (Black Hat) stuff that I could rarely see a use for other than devious purposes. I’m glad to see these chapters because near the first of the book I was thinking to myself, is the ‘Black Hat’ title just a ruse to get you interested in the book, or are we actually going to learn real hacking stuff. I would have been happier if the whole book was this way but who knows, maybe the author and/or publishing company would get sued :-p

Thanks to my favorite publishing company in the world (No Starch Press) for providing the book for review!

Early Access Book Review: Android Security Internals

Funny side note before we start this review … we just had a small 3.2 Earthquake in Utah while I was writing this!

No Starch graced me with the opportunity to review a new book they have as part of their early access program: Android Security Internals by Nikolay Elenkov

The early access program gives you access to two chapters in the book: Chapters 5 and Chapters 7. I own several Android devices so I’m interested to see how this book will turn out. I will say that looking at the index, there’s 13 chapters and they all look very interesting.

Chapter 5

This chapter was a general overview of the Java Cryptography Architecture (JCA). As I’ve mentioned before, I program in Java as part of my day job so I was already somewhat familiar with JCA. I don’t know much about Android so it was surprising to see that Android uses almost all of the JCA practically unchanged. A couple of criticisms of this chapter

  1. I didn’t feel like it was applied very much to Android. At times I felt like I was just reading a book on Java security! I’d love to see more ties to Android specifics sprinkled throughout the chapter.

  2. Some very simple and common cryptography concepts were explained in great detail but other less familiar ones were only just mentioned (e.g. the chapter mentions mask generation function RSA-PSS but doesn’t explain what that is)

Chapter 7

This chapter was all about credential storage; basically how keys are stored securely either through software or hardware. I liked this chapter much better than the previous as it was directly tied to Android. There was a very interesting section about the Nexus 4 and how it uses a hardware backed implementation based on Qualcomm’s Secure Execution Environment (QSEE). The device can only communicate with QSEE through the /dev/qseecom device using the proprietary libQSEEComAPI.so library. Now the author notes that there are not very many hardware backed implementations of credential storage, but the second that I read the words “proprietary” I got to wondering if anyone has vetted this library, either fuzzing it directly or fuzzing the /dev/qseecom. My initial searches lead me to believe no. In all, what I liked best about this chapter is that it got me excited about the security internals of Android. I found myself looking at the Android source code after reading this!

Questions for the Author

These are possibly stupid questions but they came to mind when I was reading the chapters

  1. Since providers can define their own algorithm names and aliases, is there anything to prevent them from naming it the same as a standard algorithm?

  2. Since key blobs contain serialized key and data about the key, would it be possible to modify the raw data to change the key type to be TYPE_MASTER_KEY (assuming the data wasn’t encrypted)?

  3. How are Wi-Fi credentials stored in credential storage? Are they encrypted based on the user security pin? What if they don’t have a pin set.

  4. It was mentioned that in certain versions of Android, keys installed by the user were owned by System and thus every app had access to them. This sounds kind of scary! Couldn’t you create some key harvesting application disguised as something else?

A New, Old Book Review: Ruby Under a Microscope

I’m porting over my review of Ruby Under a Microscope from Amazon.com (Linky) because I was in the process of migrating my content from my old blog to this blog and did not have a platform where I could post reviews. Enjoy!

The Review

TL;DR: This book does an excellent job of explaining the C implementation of Ruby. It’s very well organized and takes you on a step by step journey through Ruby. It’s mainly focused on the C implementation but it does describe other implementations, albeit with not as much detail as I would have liked.

If you’re curious for how things work (like me), you’ll really enjoy this book. The seemingly “magic” things that Ruby does all have a clear and straightforward, step-by-step, explanation.

What I liked:

  • The book is well organized and explains some very complicated topics in a very understandable way.
  • Figures are repeated so you don’t have to flip back and forth (a little thing but very helpful)
  • Has a very computer-science-like feel to it. It’s a fun read if you’re a computer science geek like me.

What I didn’t like:

  • The chapter on JRuby is severely lacking in my opinion. Given that the other chapters did a nice deep dive on the given topic, I felt a little bit cheated on the JRuby chapter. This was more of a really broad overview of JRuby with one or two examples.

  • The book explains a complicated topic in several chapters but you’re left to put everything together on your own. I would have liked to have seen one additional chapter that took a sufficient Ruby program and did a full walk through of all the concepts you’d learned in the previous chapters; basically, a top to bottom overview chapter.

Who can/should read this:

  • Anyone interested in programming languages or implementing your own programming language.
  • Those who want to become better Ruby developers.

Prereqs:

  • You’ll need to know a little bit of C to understand the standard Ruby implementation examples but other than that, there’s no prereqs. You don’t really even need to know Ruby that well ( I don’t ). If you don’t understand what the piece of Ruby code is doing, it’s easy to look up online to quickly figure out what it does.