What is ‘Humble Bundle’?
Humble Bundle is a distribution platform selling games, ebooks, software, and other digital content. Since Humble’s founding in 2010, they have been supporting charity (that’s where the “Humble” comes into it) while providing packaged digital content to customers (“Bundle”).
The core of the “philosophy” is flexible pricing. When you buy a bundle, you can choose the price you want to pay. You can even choose how your money is divided – between the creators, charity, Humble Partners, and Humble Bundle themselves.
What books were included?
All the following books were included in the bundle. If you bought the highest tier of the bundle (allowing access to all the content) for $15, it would work out at $1.00 per item! The current selling price direct from the publisher for each book varies between £20-£40! Safe to say then, this offer is another massive saving!
You can get your hands on the bundle (before the end of 31/12/2018) by visiting humblebundle.com
Modern web applications are built on a tangle of technologies that have been developed over time and then haphazardly pieced together. Every piece of the web application stack, from HTTP requests to browser-side scripts, comes with important yet subtle security consequences. To keep users safe, it is essential for developers to confidently navigate this landscape.
In The Tangled Web, Michal Zalewski, one of the world’s top browser security experts, offers a compelling narrative that explains exactly how browsers work and why they’re fundamentally insecure. Rather than dispense simplistic advice on vulnerabilities, Zalewski examines the entire browser security model, revealing weak points and providing crucial information for shoring up web application security. You’ll learn how to:
• Perform common but surprisingly complex tasks such as URL parsing and HTML sanitization
• Use modern security features like Strict Transport Security, Content Security Policy, and Cross-Origin Resource Sharing
• Leverage many variants of the same-origin policy to safely compartmentalize complex web applications and protect user credentials in case of XSS bugs
• Build mashups and embed gadgets without getting stung by the tricky frame navigation policy
• Embed or host user-supplied content without running into the trap of content sniffing
For quick reference, “Security Engineering Cheat Sheets” at the end of each chapter offer ready solutions to problems you’re most likely to encounter. With coverage extending as far as planned HTML5 features, The Tangled Web will help you create secure web applications that stand the test of time.
Author Michal Zalewski has long been known and respected in the hacking and security communities for his intelligence, curiosity and creativity, and this book is truly unlike anything else out there. In Silence on the Wire: A Field Guide to Passive Reconnaissance and Indirect Attacks, Zalewski shares his expertise and experience to explain how computers and networks work, how information is processed and delivered, and what security threats lurk in the shadows. No humdrum technical white paper or how-to manual for protecting one’s network, this book is a fascinating narrative that explores a variety of unique, uncommon and often quite elegant security challenges that defy classification and eschew the traditional attacker-victim model.
Metasploit: The Penetration Tester’s Guide
The Metasploit Framework makes discovering, exploiting, and sharing vulnerabilities quick and relatively painless. But while Metasploit is used by security professionals everywhere, the tool can be hard to grasp for first-time users. Metasploit: The Penetration Tester’s Guide fills this gap by teaching you how to harness the Framework and interact with the vibrant community of Metasploit contributors.
Once you’ve built your foundation for penetration testing, you’ll learn the Framework’s conventions, interfaces, and module system as you launch simulated attacks. You’ll move on to advanced penetration testing techniques, including network reconnaissance and enumeration, client-side attacks, wireless attacks, and targeted social-engineering attacks.
Learn how to:
• Find and exploit unmaintained, misconfigured, and unpatched systems
• Perform reconnaissance and find valuable information about your target
• Bypass anti-virus technologies and circumvent security controls
• Integrate Nmap, NeXpose, and Nessus with Metasploit to automate discovery
• Use the Meterpreter shell to launch further attacks from inside the network
• Harness standalone Metasploit utilities, third-party tools, and plug-ins
• Learn how to write your own Meterpreter post exploitation modules and scripts
You’ll even touch on exploit discovery for zero-day research, write a fuzzer, port existing exploits into the Framework, and learn how to cover your tracks. Whether your goal is to secure your own networks or to put someone else’s to the test, Metasploit: The Penetration Tester’s Guide will take you there and beyond.
The Car Hacker’s Handbook: A Guide for the Penetration Tester
Modern cars are more computerized than ever. Infotainment and navigation systems, Wi-Fi, automatic software updates, and other innovations aim to make driving more convenient. But vehicle technologies haven’t kept pace with today’s more hostile security environment, leaving millions vulnerable to attack.
The Car Hacker’s Handbook will give you a deeper understanding of the computer systems and embedded software in modern vehicles. It begins by examining vulnerabilities and providing detailed explanations of communications over the CAN bus and between devices and systems.
Then, once you have an understanding of a vehicle’s communication network, you’ll learn how to intercept data and perform specific hacks to track vehicles, unlock doors, glitch engines, flood communication, and more. With a focus on low-cost, open source hacking tools such as Metasploit, Wireshark, Kayak, can-utils, and ChipWhisperer, The Car Hacker’s Handbook will show you how to:
• Build an accurate threat model for your vehicle
• Reverse engineer the CAN bus to fake engine signals
• Exploit vulnerabilities in diagnostic and data-logging systems
• Hack the ECU and other firmware and embedded systems
• Feed exploits through infotainment and vehicle-to-vehicle communication systems
• Override factory settings with performance-tuning techniques
• Build physical and virtual test benches to try out exploits safely
If you’re curious about automotive security and have the urge to hack a two-ton computer, make The Car Hacker’s Handbook your first stop.
Forensic image acquisition is an important part of postmortem incident response and evidence collection. Digital forensic investigators acquire, preserve, and manage digital evidence to support civil and criminal cases; examine organizational policy violations; resolve disputes; and analyze cyber attacks.
Practical Forensic Imaging takes a detailed look at how to secure and manage digital evidence using Linux-based command line tools. This essential guide walks you through the entire forensic acquisition process and covers a wide range of practical scenarios and situations related to the imaging of storage media.
You’ll learn how to:
• Perform forensic imaging of magnetic hard disks, SSDs and flash drives, optical discs, magnetic tapes, and legacy technologies
• Protect attached evidence media from accidental modification
• Manage large forensic image files, storage capacity, image format conversion, compression, splitting, duplication, secure transfer and storage, and secure disposal
• Preserve and verify evidence integrity with cryptographic and piecewise hashing, public key signatures, and RFC-3161 timestamping
• Work with newer drive and interface technologies like NVME, SATA Express, 4K-native sector drives, SSHDs, SAS, UASP/USB3x, and Thunderbolt
• Manage drive security such as ATA passwords; encrypted thumb drives; Opal self-encrypting drives; OS-encrypted drives using BitLocker, FileVault, and TrueCrypt; and others
• Acquire usable images from more complex or challenging situations such as RAID systems, virtual machine images, and damaged media
With its unique focus on digital forensic acquisition and evidence preservation, Practical Forensic Imaging is a valuable resource for experienced digital forensic investigators wanting to advance their Linux skills and experienced Linux administrators wanting to learn digital forensics. This is a must-have reference for every digital forensics lab.
There are more than one billion Android devices in use today, each one a potential target. Unfortunately, many fundamental Android security features have been little more than a black box to all but the most elite security professionals—until now.
In Android Security Internals, top Android security expert Nikolay Elenkov takes us under the hood of the Android security sys tem. Elenkov describes Android security archi tecture from the bottom up, delving into the imple mentation of major security-related components and subsystems, like Binder IPC, permissions, cryptographic providers, and device administration.
- How Android permissions are declared, used, and enforced
- How Android manages application packages and employs code signing to verify their authenticity
- How Android implements the Java Cryptography Architecture (JCA) and Java Secure Socket Extension (JSSE) frameworks
- About Android’s credential storage system and APIs, which let applications store cryptographic keys securely
- About the online account management framework and how Google accounts integrate with Android
- About the implementation of verified boot, disk encryption, lockscreen, and other device security features
- How Android’s bootloader and recovery OS are used to perform full system updates, and how to obtain root access
With its unprecedented level of depth and detail, Android Security Internals is a must-have for any security-minded Android developer.
Learn to use C#’s powerful set of core libraries to automate tedious yet important tasks like fuzzing, performing vulnerability scans, and analyzing malware. With some help from Mono, you’ll write your own practical security tools that will run on Windows, OS X, Linux, and even mobile devices.
After a crash course in C# and some of its advanced features, you’ll learn how to:
- Generate shellcode in Metasploit to create cross-platform and cross-architecture payloads
- Automate Nessus, OpenVAS, and sqlmap to scan for vulnerabilities and exploit SQL injections
- Write a .NET decompiler for OS X and Linux
- Parse and read offline registry hives to dump system information
- Automate the security tools Arachni and Metasploit using their MSGPACK RPCs
Streamline and simplify your workday by making the most of C#’s extensive repertoire of powerful tools and libraries with Gray Hat C#.
Malware analysis is big business, and attacks can cost a company dearly. When malware breaches your defenses, you need to act quickly to cure current infections and prevent future ones from occurring.
For those who want to stay ahead of the latest malware, Practical Malware Analysis will teach you the tools and techniques used by professional analysts. With this book as your guide, you’ll be able to safely analyze, debug, and disassemble any malicious software that comes your way.
You’ll learn how to:
- Set up a safe virtual environment to analyze malware
- Quickly extract network signatures and host-based indicators
- Use key analysis tools like IDA Pro, OllyDbg, and WinDbg
- Overcome malware tricks like obfuscation, anti-disassembly, anti-debugging, and anti-virtual machine techniques
- Use your newfound knowledge of Windows internals for malware analysis
- Develop a methodology for unpacking malware and get practical experience with five of the most popular packers
- Analyze special cases of malware with shellcode, C++, and 64-bit code
Hands-on labs throughout the book challenge you to practice and synthesize your skills as you dissect real malware samples, and pages of detailed dissections offer an over-the-shoulder look at how the pros do it. You’ll learn how to crack open malware to see how it really works, determine what damage it has done, thoroughly clean your network, and ensure that the malware never comes back.
Malware analysis is a cat-and-mouse game with rules that are constantly changing, so make sure you have the fundamentals. Whether you’re tasked with securing one network or a thousand networks, or you’re making a living as a malware analyst, you’ll find what you need to succeed in Practical Malware Analysis.
iOS Application Security: The Definitive Guide for Hackers and Developers
Eliminating security holes in iOS apps is critical for any developer who wants to protect their users from the bad guys. In iOS Application Security, mobile security expert David Thiel reveals common iOS coding mistakes that create serious security problems and shows you how to find and fix them.
After a crash course on iOS application structure and Objective-C design patterns, you’ll move on to spotting bad code and plugging the holes. You’ll learn about:
- The iOS security model and the limits of its built-in protections
- The myriad ways sensitive data can leak into places it shouldn’t, such as through the pasteboard
- How to implement encryption with the Keychain, the Data Protection API, and CommonCrypto
- Legacy flaws from C that still cause problems in modern iOS applications
- Privacy issues related to gathering user data and how to mitigate potential pitfalls
Don’t let your app’s security leak become another headline. Whether you’re looking to bolster your app’s defenses or hunting bugs in other people’s code, iOS Application Security will help you get the job done well.
When it comes to creating powerful and effective hacking tools, Python is the language of choice for most security analysts. But just how does the magic happen?
In Black Hat Python, the latest from Justin Seitz (author of the best-selling Gray Hat Python), you’ll explore the darker side of Python’s capabilities—writing network sniffers, manipulating packets, infecting virtual machines, creating stealthy trojans, and more. You’ll learn how to:
- Create a trojan command-and-control using GitHub
- Detect sandboxing and automate common malware tasks, like keylogging and screenshotting
- Escalate Windows privileges with creative process control
- Use offensive memory forensics tricks to retrieve password hashes and inject shellcode into a virtual machine
- Extend the popular Burp Suite web-hacking tool
- Abuse Windows COM automation to perform a man-in-the-browser attack
- Exfiltrate data from a network most sneakily
Insider techniques and creative challenges throughout show you how to extend the hacks and how to write your own exploits.
When it comes to offensive security, your ability to create powerful tools on the fly is indispensable. Learn how in Black Hat Python.
Pentesting Azure Applications: The Definitive Guide to Testing and Securing Deployments
Pentesting Azure Applications is a comprehensive guide to penetration testing cloud services deployed in Microsoft Azure, the popular cloud computing service provider used by numerous companies. You’ll start by learning how to approach a cloud-focused penetration test and how to obtain the proper permissions to execute it; then, you’ll learn to perform reconnaissance on an Azure subscription, gain access to Azure Storage accounts, and dig into Azure’s Infrastructure as a Service (IaaS).
You’ll also learn how to:
- Uncover weaknesses in virtual machine settings that enable you to acquire passwords, binaries, code, and settings files
- Use PowerShell commands to find IP addresses, administrative users, and resource details
- Find security issues related to multi-factor authentication and management certificates
- Penetrate networks by enumerating firewall rules
- Investigate specialized services like Azure Key Vault, Azure Web Apps, and Azure Automation
- View logs and security events to find out when you’ve been caught
Packed with sample pentesting scripts, practical advice for completing security assessments, and tips that explain how companies can configure Azure to foil common attacks, Pentesting Azure Applications is a clear overview of how to effectively perform cloud-focused security tests and provide accurate findings and recommendations.
Hacking: The Art of Exploitation, 2nd Edition
Hacking is the art of creative problem solving, whether that means finding an unconventional solution to a difficult problem or exploiting holes in sloppy programming. Many people call themselves hackers, but few have the strong technical foundation needed to really push the envelope.
Rather than merely showing how to run existing exploits, author Jon Erickson explains how arcane hacking techniques actually work. To share the art and science of hacking in a way that is accessible to everyone, Hacking: The Art of Exploitation, 2nd Edition introduces the fundamentals of C programming from a hacker’s perspective.
Get your hands dirty debugging code, overflowing buffers, hijacking network communications, bypassing protections, exploiting cryptographic weaknesses, and perhaps even inventing new exploits. This book will teach you how to:
- Program computers using C, assembly language, and shell scripts
- Corrupt system memory to run arbitrary code using buffer overflows and format strings
- Inspect processor registers and system memory with a debugger to gain a real understanding of what is happening
- Outsmart common security measures like nonexecutable stacks and intrusion detection systems
- Gain access to a remote server using port-binding or connect-back shellcode, and alter a server’s logging behavior to hide your presence
- Redirect network traffic, conceal open ports, and hijack TCP connections
- Crack encrypted wireless traffic using the FMS attack,and speed up brute-force attacks using a password probability matrix
Hackers are always pushing the boundaries, investigating the unknown, and evolving their art. Even if you don’t already know how to program, Hacking: The Art of Exploitation, 2nd Edition will give you a complete picture of programming, machine architecture, network communications, and existing hacking techniques. Combine this knowledge with the included Linux environment, and all you need is your own creativity.
Serious Cryptography: A Practical Introduction to Modern Encryption
This practical guide to modern encryption breaks down the fundamental mathematical concepts at the heart of cryptography without shying away from meaty discussions of how they work. You’ll learn about authenticated encryption, secure randomness, hash functions, block ciphers, and public-key techniques such as RSA and elliptic curve cryptography.
You’ll also learn:
- Key concepts in cryptography, such as computational security, attacker models, and forward secrecy
- The strengths and limitations of the TLS protocol behind HTTPS secure websites
- Quantum computation and post-quantum cryptography
- About various vulnerabilities by examining numerous code examples and use cases
- How to choose the best algorithm or protocol and ask vendors the right questions
Each chapter includes a discussion of common implementation mistakes using real-world examples and details what could go wrong and how to avoid these pitfalls.
Whether you’re a seasoned practitioner or a beginner looking to dive into the field, Serious Cryptography will provide a complete survey of modern encryption and its applications.
Penetration testers simulate cyber attacks to find security weaknesses in networks, operating systems, and applications. Information security experts worldwide use penetration techniques to evaluate enterprise defenses.
In Penetration Testing, security expert, researcher, and trainer Georgia Weidman introduces you to the core skills and techniques that every pentester needs. Using a virtual machine–based lab that includes Kali Linux and vulnerable operating systems, you’ll run through a series of practical lessons with tools like Wireshark, Nmap, and Burp Suite. As you follow along with the labs and launch attacks, you’ll experience the key stages of an actual assessment—including information gathering, finding exploitable vulnerabilities, gaining access to systems, post exploitation, and more.
Learn how to:
- Crack passwords and wireless network keys with brute-forcing and wordlists
- Test web applications for vulnerabilities
- Use the Metasploit Framework to launch exploits and write your own Metasploit modules
- Automate social-engineering attacks
- Bypass antivirus software
- Turn access to one machine into total control of the enterprise in the post exploitation phase
You’ll even explore writing your own exploits. Then it’s on to mobile hacking—Weidman’s particular area of research—with her tool, the Smartphone Pentest Framework.
With its collection of hands-on lessons that cover key tools and strategies, Penetration Testing is the introduction that every aspiring hacker needs.
Attacking Network Protocols is a deep dive into network protocol security from James Forshaw, one of the world’s leading bug hunters. This comprehensive guide looks at networking from an attacker’s perspective to help you discover, exploit, and ultimately protect vulnerabilities.
You’ll start with a rundown of networking basics and protocol traffic capture before moving on to static and dynamic protocol analysis, common protocol structures, cryptography, and protocol security. Then you’ll turn your focus to finding and exploiting vulnerabilities, with an overview of common bug classes, fuzzing, debugging, and exhaustion attacks.
Learn how to:
- Capture, manipulate, and replay packets
- Develop tools to dissect traffic and reverse engineer code to understand the inner workings of a network protocol
- Discover and exploit vulnerabilities such as memory corruptions, authentication bypasses, and denials of service
- Use capture and analysis tools like Wireshark and develop your own custom network proxies to manipulate network traffic
Attacking Network Protocols is a must-have for any penetration tester, bug hunter, or developer looking to understand and discover network vulnerabilities.
How do I find out when the next offer is on?
One way to find out about future Humble Bundle offers is to check their website regularly.
But, the way I’ve found out about the past two bundles is by listening to the weekly SecurityNow! Podcast. Steve Gibson, from GRC.com will often mention when a humble bundle is out, and will also often discuss the quality of the books or content on offer.
What’s more, you’ll learn more about security by listening weekly, so it’s a win win!