Sunday, February 17, 2013

Book Review: “Zero Day (2011)” by Mark Russinovich

Executive Summary
I recommend this book for the casual reader that is interested in cyber security topics. It is not a must-read if you are already a cyber security professional. You probably already know about most of the topics covered. However, if you have friends and family that wonder what you do every day, you might hand this to them as a primer. And, if you are looking for some pretty good reading material for your next beach vacation, you could do a lot worse. “Zero Day” is a fun political thriller that shows computer security geeks saving the day. In it, Russinovich describes the nature of cyber crime and how a cyber terrorism campaign might be launched against the US. 

Review: 
I appreciate what Mr. Russinovich is trying to do with this novel: Tell an exciting, “Die Hard-ish” story with interesting cyber security people and realistic tech and, at the same time, inform the general reader about how dangerous the current state of the cyber security environment is. In a presentation that Russinovich did at RSA last year to supplement this book, he quoted Senator Joe Lieberman: 

“To me it feels like it is September 10 2001. The system is blinking red – again. Yet we are failing to connect the dots – again [2].” 

One of the reasons I started this blog was to talk about novels that do this very thing. Russinovich has devoted two books to the idea. This one and the sequel called “Trojan Horse” that he published in 2012. Well done sir. He is also a geek of the highest order. He is a Microsoft Technical Fellow, a co-founder of the famous Sysinternals website [3] and he was the guy that discovered the root kit that Sony BMG installed on its music CDs back in 2005 [4]. 

The good guys in the story are a Mr. Jeff Aiken, an überkind computer security consultant with a past, and Daryl Haugen, the US CERT director and no slouch in the technical prowess department. These two fight the US government bureaucracy in an effort to defeat a follow-on 911 cyber-attack that is intended to destroy a significant portion of every data system in the US. Along the way, the reader is treated to colorful descriptions of malicious code attacking an on-board in-flight aircraft computer system causing a near-crash, adjusting the geo-positioning system on a large oil tanker that causes a harbor crash and the spillage of millions of tons of crude oil into the harbor, tinkering with the Supervisory Control and Data Acquisition (SCADA) systems in multiple nuclear power plants, and controlling multiple manufacturing robots on an assembly line that eventually causes the murder of one of the human technicians.

The main hacker in the story is Superfreak (AKA Vladmir Koscov), a Russian engineer who has found a way to make a pretty good living building elite malicious code for his benefactors. His benefactors are two Islamic brothers with ties to Osama bin Laden and who are intent on striking the US another significant blow after the first 911 attacks. One of the brothers even makes a special pilgrimage across the desert to receive his mission from Osama bin Laden personally.

Russinovich uses this Tom Clansy-ish plot to push the story forward. Along the way, he takes the time to explain the cyber security environment to the average reader. He provides decent descriptions of the classic “Salami Slice” bank hack (See the movies “Superman III” or “Office Space” or “Hackers”) [5], the game-changing Slammer Worm attack of 2003 that compromised every machine on the planet that it was going to compromise in 10 minutes (Some 75,000 victims) [6], the E-Gold Money Laundering scheme (a blackhat internet service that was popular for a few years in the 2000s) [7], and what a zero day vulnerability is [8]. He makes the point about why the US is vulnerable to the plot’s cyber terrorism evil plan compared to other nations based on how completely the US has embraced the internet for day-to-day business. This is the asymmetry problem described by Clarke in his Cyber Warfare book and the leverage that China has been taking advantage of for the past decade [9].

I first read this book when Russinovich published it back in 2011. Although I enjoyed it, I did not put it on my list of “Books I recommend to my cyber security geek friends.” The reason I did not was that the character portraits that Russinovich paints just did not ring true.

I mean all the good-guy main characters were geniuses and beautiful (men and women). He describes the two main women geeks as off-the-charts elevens (on a 1-10 scale). I have known a lot of geeks in my life. Although many were geniuses in their own right, “Beautiful” is not an adjective that would come to mind first to describe their physical appearance (present company included). Most of the geeks that I hang around with are happy just have a female in the room. Traditional Hollywood-style beauty is not normally in the equation (for both the men and the women).

The main computer geek, Jeff, had discovered that the 911 attacks were going to happen before they did (because of his “mad” computer skills) and was prevented from warning the nation because of a misguided bureaucrat. The last half of the book describes the two main characters traipsing around the world (France and Russia) on their own trying to eliminate the threat. I love my geek friends and most of us have large egos that make us believe we are way more important than we really are, but most of this is out of our comfort zone.

Finally, the straw that broke the camel’s back for me was the fact that the same evil bureaucrat that prevented Jeff from warning the nation about the 911 attacks was the guy that the terrorists in this book turned in order to gain information to launch this second wave attack. That plot point was a little too “On the nose” if you know what I mean.

On a second reading though, I have changed my mind. Russinovich is not doing anything here that is not done by other authors in other books of this political thriller genre. The heroes in all of these books (and movies) are geniuses and beautiful. It is why we like to read these things. What jarred me at the first reading was that I was not expecting to see that formula applied to my peeps. I imagine the experience is similar to what normal cops and government spies do when they see their counterparts described in books and movies. I am sure there is a lot of eye-rolling going on about what a real cop does compared to a hero cop in a novel. Russinovich did not write this book for me. He wrote it for the masses. Once I got passed this idea, it was easier for me to be less critical. 


Conclusion

This book is not a must-read if you are already a cyber security professional. You probably know about most of the topics covered. However, if you have friends and family that wonder what you do every day, you might hand this to them as a primer. And, if you are looking for some pretty good reading material for your next beach vacation, you could do a lot worse. “Zero Day” is a fun political thriller that shows computer security geeks saving the day. How is that not a great way to waste some time on the beach? 

Note: 


Zero Day is a Cybersecurity Canon Candidate. Please visit the official page sponsored by Palo Alto Networks to read all the books from the Canon project.





Sources: 
[1] “Announcing Trojan Horse, the Novel,” by Mark Russinovich, Mark Russinovich’s Blog, 8 May 2012, Last Visited 6 February 2013 
http://blogs.technet.com/b/markrussinovich/archive/2012/05/08/3496339.aspx 

[2] “ZeroDay – A non-Fiction View,” by Mark Russinovich, RSA Conference 2012, 23 March 2012, Last Visited 13 February 2013 
http://www.youtube.com/watch?v=SX7Lxvb5ZD8&noredirect=1 

[3] “Windows Sysinternals,” by Mark Russinovich and Bryce Cogswell, Microsoft, , Last Visited 13 February 2013 
http://technet.microsoft.com/en-us/sysinternals 

[4] “Sony Rootkits and Digital Rights Management Gone too Far,” by Mark Russinovich, Mark Russinovich’s Blog, 31 October 2005, Last Visited 13 February 2013 
http://blogs.technet.com/b/markrussinovich/archive/2005/10/31/sony-rootkits-and-digital-rights-management-gone-too-far.aspx 

[5] “What is Salami Slicing,” by WiseGeek, , Last Visited 13 February 2013 
http://www.wisegeek.com/what-is-salami-slicing.htm 

[6] “Inside the Slammer Worm,” by D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford and N. Weaver, CAIDA: The Cooperative Association of Internet Data Analysis, August 2003, Last Visited 13 February 2013 
http://blogs.technet.com/b/markrussinovich/archive/2005/10/31/sony-rootkits-and-digital-rights-management-gone-too-far.aspx 

[7] “E-Gold Pleads Guilty to Money Laundering,” by Robert Lemos, Security Focus, July 2008, Last Visited 13 February 2013 
http://www.securityfocus.com/news/11528 

[8] “Vulnerability Trends,” by Symantec, Last Visited 13 February 2013 
http://www.symantec.com/threatreport/topic.jsp?id=vulnerability_trends&aid=zero_day_vulnerabilities 

[9] “Book Review: Cyber Warfare: The Next Threat to National Security and What to Do about It,” by Rick Howard, Terebrate, 21 January 2013, Last Visited 13 February 2013 

No comments:

Post a Comment