Roberta culls her considerable library to bring you some of the best and worst that’s been published on her favorite topic.
Armchair Security
Roberta culls her considerable library to bring you some of the best and worst that’s been published on her favorite topic.
- By Roberta Bragg
- January 01, 2000
Many of you have written to me asking for advice. Sometimes
it’s the generic, “I’d like to break into the security
field—what would you advise?” request, and sometimes it’s
a specific problem you’re trying to resolve. But occasionally
you ask, “What books do you suggest I read?” Sensing a
fellow glutton for punishment, I usually refer you to
my latest discovery or advise you to visit your favorite
bookstore, empty the shelves of all security-related books,
commandeer a reading table and chair, and dig in. Thus,
you can select the books that speak to you. (When online
bookstores offer this luxury, I’ll probably spend more
money there.) Many of you, however, haven’t the time nor
inclination to do this; or maybe you’re not ready to dive
into some obscure tome that’s my current bedside companion.
In tribute to these latter groups, I herein offer these
pointers to finding useful security books.
Building Internet Firewalls
By D. Brent Chapman and Elizabeth D. Zwicky
O’Reilly & Associates, 1995
ISBN 1-56592-124-0, $34.95
|
|
Although this classic book was published eons ago in
1995 (in Internet years; 1 human calendar year equals
20 Internet years), it remains my first choice and the
most recommended book on firewalls.Thirteen chapters discuss
topics from A to Z and include “Why Internet Firewalls,”
“Security Strategies,” “Firewall Design,” “Bastion Hosts,”
“Authentication and Inbound Services,” and “Responding
to Security Incidents.” The appendix covers TCP/IP fundamentals.
The book assumes you’re working with a Unix host, but
most of the information is also relevant to Windows NT.
I especially like Chapter 3, which details basic security
concepts such as least privilege (only give privileges
that are necessary to do assigned tasks and no more),
defense in-depth (install multiple mechanisms that back
each other up), choke point (force attackers to use a
narrow channel), and weak point (know the weak points
in your defense and take steps to eliminate them). It
also covers fail-safe stance (sooner or later systems
fail—when they do, they should fail in ways that deny
attackers access), universal participation (security is
everyone’s business), diversity of defense (use security
systems from different vendors), and simplicity (if you
can’t understand something, how do you know it’s secure?).
The chapters on building firewalls include information
on design, packet filtering, proxying, and configuring
Internet services. Want to know the packet filtering characteristics
of NNTP or http? How about, “What can a malicious server
do to your http clients?” Want advice on what to allow
or not allow? (“The best way to allow IRC is to put an
untrusted victim machine with no confidential data on
it on a perimeter network and let users log into that
machine to run IRC.” If you know nothing about firewalls,
start with this book. If you know something about firewalls,
read it. If you’re a firewall guru, read it, then recommend
it.
Cracking DES Secrets of
Encryption Research, Wiretap Politics and
Chip Design (How federal agencies subvert
privacy)
By the Electronic Frontier Foundation
O’Reilly & Associates, 1998
ISBN 1-56592-520-3, $29.95
|
|
Just the title will get you to buy the book, won’t it?
Can DES (Data Encryption Standard) be cracked? Well, of
course, you answer, it’s been done already (in 1997 and
1998, in 5 months and in 39 days, respectively). This
book, however, outlines specifications for building a
computer out of custom chips that would extract DES keys
in days at reasonable prices, or hours at higher prices.
The game, as outlined by the authors, has changed. It’s
no longer a question of whether DES can be cracked (keys
extracted) but rather “…a question of how cheaply they
can be extracted and for what purposes.”
Most of the book is spent outlining the technical details
of the Electronic Frontier Foundation’s research project
to build a machine to crack DES. (EFF, at www.eff.org,
is a non-profit public-interest organization devoted to
protecting rights and promoting liberty online.)
The most fascinating part of the book for most of us,
however, will be the section devoted to the politics of
decryption. Decryption, as you recall, is the process
of reading information that has been encrypted by finding
and using the key that was used to encrypt it. Finding
the key (called exhaustive or brute force search because
one key after another is tried until the correct one is
found) is the job of this machine. What can be political
about that?
According to the authors, government agencies have a
huge investment in protecting DES’ reputation. Statements
are often made that it would take thousands of computers
weeks or years to crack a single DES-encrypted message,
when in reality, reputable scientists have calculated
much shorter times. Why? The somewhat paranoid theory
goes something like this. If business is lulled into using
a weak key, then government agencies will be able to more
easily compromise it. The success of this strategy, the
authors say, relies on keeping industry and the public
misled about DES’ security. In fact, they go further,
claiming a deliberate promulgation of dis-information
to prevent the adoption of stronger standards than DES
and to encourage law and policy makers (Congress and the
President) to require “key recovery” to support law enforcement.
Key recovery is the policy that would require computer
companies with encryption capabilities in their products
to give the government the capability of compromising
data encrypted through their product.
The authors and their team (10 part-time people) built
their DES-cracking box for $210,000 (this included design,
integration, materials, building, and testing) in 18 months.
Buy this book and you can build your own, probably for
a lot less. Buy it to learn (complete C code for the software
included!). Buy it for your pre-teen daughter, who may
just build a DES-cracking machine for her high school
science fair project.
Network Intrusion Detection:
An Analyst’s Handbook
By Stephen Northcutt
New Riders, 1999
ISBN 0-73570-868-1, $39.99
|
|
This author has a history. Try to learn something about
intrusion detection—indeed, about security—and you won’t
escape his name. Northcutt is the original developer of
the Shadow intrusion detection system, a former head of
the Department of Defense’s Shadow Intrusion Detection
Team, and currently Chief Information Warfare Officer
for the U.S. Ballistic Missile Defense Organization. In
this action-packed volume (well, it’s not exactly a spy
thriller or shoot-‘em-up), Northcutt details the process
and paradigm of intrusion detection. Intrusion detection
“…is not a specific tool, but a capability, a blending
of tools and techniques.” As a teacher, nay, mentor or
budding intrusion detection analyst, you’ll be led step-by-step
into his world—the book becomes your reference and training
manual.
It starts with a detailed analysis of the famous Kevin
Mitnick attack. Here you learn about SYN Flooding, how
the attacker covered his tracks, identified trust relationships
using simple Unix commands and network traces, and went
on to use TCP hijacking to gain confidential information.
You’ll also learn how the attack could have been thwarted,
and how it could have been detected at several points
in the attack. Furthermore, Northcutt challenges you to
use detection of this attack as a lowest-level threshold
of intrusion detection capability. If your tool can’t
reliably detect this attack, it’s not an intrusion detection
tool, he says, it’s merely “…something that runs, whirs,
and chips, and gives us the warm, numb feeling of security.”
Reading this book is to be seduced into late nights of
discovery. Northcutt is the pied piper and I’m a child
skipping after him out of town (OK, so I’m a little weird).
His melodies speak of recon probes, scans, TCP wrappers,
tripwire, IMAP, Back Orifice, Netbus, pathological fragmentation,
FTP bounce, filters, and more. Specific attacks, their
signatures, and filters to detect them are detailed, as
well as how to write your own filters. Legal advice for
the budding analyst is also given: “STOP! Take your hands
off the keyboard and back away from the computer. Just
because you can do something doesn’t mean it’s a good
idea.”
The building of an intrusion detection system is covered
and can help you in evaluating commercial solutions. Chapters
6 through 8 examine network traces. If you’re a TCP aficionado,
these allow you to discover the signatures of attacks
in progress; for gurus-in-training, a first study will
teach a lot about IP. Later examination and study will
reveal the attack signatures. Read it twice, and then
read it again.
Did you know that switched networks are a major challenge
for intrusion detection? Or that most intrusion detection
systems on the market are full of false positives? What
about how difficult it is to determine the difference
between scanning for vulnerabilities and carrying out
the actual attack? Would you like to know how ISS RealSecure
functions under common attacks? How about a professional’s
insight into other commercial intrusion detection products?
If intrusion detection is of interest to you, this book
will get you started and keep you occupied. Buy it. Study
it. Digest it. Use it. Or risk being written up in a future
Northcutt book.
Hacker Proof. The Ultimate
Guide to Network Security
By Lars Klander
Jamsa Press, 1997
ISBN 1-88413-355-X, $54.95
|
|
This book is now two years old. Is it still relevant?
Its 642 pages address topics ranging from “Understanding
the Risks,” “Understanding and Using Firewalls,” “Identifying
and Defending Against Some Common Hacker Attacks,” to
“Using Kerberos Key Exchange on Distributed Systems.”
But the book also contains many pages on basic knowledge
(40 pages on basic TCP/IP and networking knowledge—star
bus and ring topology, anyone?—and information that dates
the reference (IIS 4.0 beta available for download).
However, the book doesn’t seek to be a pontifical tome
that challenges security, TCP/IP, or other information
system experts. It’s written for the general public, and
for IT professionals who have an interest in these issues
but haven’t spent much time studying them. Clear, simple
explanations step you through the basics and prepare you
for further understanding. If you’re beginning your career
in information systems, if you feel you have gaps in your
understanding, then this book may be for you.
Computer
Security
By Dieter Gollmann
John Wiley & Sons, 1999
ISBN 0-47197-844-2, $54.99 |
|
This book is set apart by its intention. Gollmann, who
now works for Microsoft, took his notes from five years
of teaching computer security at the University of London
and produced what was intended to be a textbook. After
an introduction to the fundamentals, you’ll find sections
on NT and Unix, distributed systems (Web systems included),
and theory. It’s meant for self-study or formal course
presentation. What intrigued me, an instructor, about
this book is the fact that teaching materials are advertised
as available online. Unfortunately, I haven’t been able
to connect to the advertised site.
Ever notice that books have an atmosphere, a certain
je ne sais quoi? Furthermore, ever notice that
academic books have as their atmosphere a respite for
insomniacs? This book is guaranteed to scale a 9 on the
yawn factor. Witness:
“…a set of subjects S; a set of objects O;
the set of access operations A = (execute, read, append,
write} that directly mirror the access rights… a set L
of security levels with a partial ordering £ .B = R(S
x O x A) is the set of current accesses.”
or:
“An element b Œ B is a collection of tuples
(s,o,a), indicating that subject s currently performs
operation a on object o...”
Sure, there’s some good information here, but like most
academic material, it was never meant to intrigue my rather
common mind. (Apologies to my thesis professor, Gordon;
I know it just precisely defines things for you PhD types.)
Personally, I think I can grasp the concepts—and even
put them into play—without the above. But I’d love to
hear what you think about this book. Be the first reader
to let me know you’re interested and I’ll mail you my
copy.
Handbook of Information
Security Management, 1999 Edition
Edited by Micki Krause and Harold F. Tipton
Auerbach, 1999
ISBN 0-84939-974-2, $95
|
|
Those of us in the systems administration field are intent
on making things happen. Some of us who like to consider
ourselves security-conscious are intent on keeping things
from happening. Then there are the information systems
auditors intent on assuring that only the correct things
have happened. Who’s responsible for making sure we can
all do our jobs and that the protection from things that
shouldn’t happen doesn’t get in the way of the things
that need to happen? It’s the followers of the profession
of information security, and this book outlines what they
should know and do.
In my September 1999 column, “Become the Consummate Certified
Security Professional,” I told you about the Certified
Information System Security Professional (CISSP) title
and the bear-of-an-exam that had to be passed to obtain
that certification. This book can be thought of as the
study guide for that test. No fancy cover, no title that
screams of a quick and dirty way to assure yourself prosperity,
no CD with a practice exam. You’ll see few charts and
graphs, no funny faces or attention-getting icons, no
“notes” that repeat what was said in the paragraph above.
Instead, you get 10 subject domains that match those covered
on the exam—excuse me—examination.
If you’re serious about information security, even if
you choose not to pursue certification, this is the book
to get. It covers access control, telecommunications and
networking security, disaster recovery, security management,
security architecture, law, ethics, application development
security, cryptography, computer operations security,
and physical security. Although this is a serious book,
it’s not hard going. You’ll find yourself rapidly progressing
through areas you’re familiar with, while paying attention
to the less familiar. You’ll find generally accepted solutions
to security issues as well as plenty of ideas to help
make your systems more secure.
Take the section on “Protecting the Portable Computing
Environment.” While most of us have thought of the dangers
of traveling with corporate data on our laptop, have you
been concerned with shoulder-surfing travelers who might
learn your remote access logons? Are you aware that many
wireless networks don’t encrypt the logon and password?
What about the danger of sharing the company laptop? Will
users always remember to destroy files they’ve saved to
the hard disk? Is it possible someone might recover that
data even if it’s deleted? If you leave your laptop in
a hotel room and it’s stolen, do you lose more than the
cost of the laptop? The module ends with a list of suggestions
for securing laptops. This compilation includes the use
of data encryption, encrypted logons, not storing the
password on the hard disk, biometric or other enabling
devices, and the use of plain and simple 3.5-inch disks
while on the road, which can be locked in a safe during
your stay.
Computer Security Handbook,
Third Edition
Edited by Hutt, Bosworth, Hoyt
John Wiley & Sons, 1995
ISBN 0-47111-854-0, $79.95
|
|
Let’s see…Tons of detailed information. “Management’s
Role in Computer Security,” “Employment Policies and Practices,”
“Legal Issues in Computer Security,” “Computer Crime and
Computer Criminals,” “Auditing Computer Security,” “Penetrating
Computer Systems and Networks,” “Security of Computer
Data, Records and Forms,” and the list goes on. Then the
appendix starts. This book is for managers—I can see it
being used for a graduate-level course—but is the information
useful to those of us in the trenches?
If you like checklists, this book’s got ’em. There’s
the Employee Security Checklist, the Contingency Planning
Checklist, the Security Environment Survey Questionnaire,
the Legal Checklist, the Hardware Security Checklist,
the Virus and Related Threats Checklist, the Data Communications
and Networking Checklist, the Data Encryption Checklist,
the Security of Computer Data Checklist… Need I go on?
Want a history and evolution of computer-related crime?
In the 1960s and 1970s, the number of reported computer-related
incidents (vandalism, theft, fraud, and unauthorized use
or sale) never exceeded 100 a year. (Of course, how many
computers did we have in those decades?) Did you know
that the typical computer criminal is male, white, young,
(ages 19 through 30), and has no previous criminal record?
(Well, duh, aren’t most computer professionals male, white,
young, without previous criminal record?) My opinion:
Get this one if you’re a manager or consultant, the checklists
alone will justify its price; get other books for the
details.
Disappearing Cryptography,
Being and Nothingness on the Net
By Peter Wayner
Academic Press/Morgan Kaufmann, 1996
ISBN 0-12738-671-8, $37
|
|
If all our efforts focus on preventing others from access
to our innermost secrets, doesn’t it hold true that they’d
have to find them first? I’m not talking about placing
data within a labyrinth of disks and files and protecting
it with the latest in security technology, I’m talking
about making data disappear. Peter Wayner suggests we
can. He says we can hide messages within the noise of
the images and sound files that float around the Internet.
He claims an eighth of an image file can be used to hide
information without changing the quality of the image.
Better yet, turn data into the voice-over to a baseball
game. To most people listening, it’s a broadcast. To the
initiated, it’s a message. How is this steganography (disappearing
cryptography) done? Each chapter in the book describes
a technique, and there’s code at the end of the book to
implement some of it.
Take, for example, the baseball game voice-over. Just
how would you hide information in such a scenario? Easy,
the author says. Each sentence of the production can be
converted into 1s and 0s. If the announcer says, “Here’s
the pitch. Nothing on that one,” or “Here comes the pitch—it’s
a curvaceous beauty,” the nouns and verbs can have assigned
bits. The result might be 1101 and 0011, respectively.
Get the drift? To find the true message, you have to know
the assignments. Listen to the broadcast, write down the
bits, then translate the bits by some pre-agreed upon
formula. To create the message, you have to agree to the
bit assignments, then run the message through a program
that’s been designed to produce baseball voice-over type
sentences from a string of bits.
The technique I liked best is based on hiding your secrets
among the noise. When pictures or movies are digitally
encoded, a certain amount of meaningless noise—extra bits—get
in the mix. Why not use these extra bits, since no one
cares about them? You could change them to hold your message.
Most people strain to filter the noise from the recording;
your receiving partner will filter the recording from
the noise. Hiding things in noise is actually one of my
specialties. After all, there are all kinds of valuable
things right in plain view in my house, but they’re hidden
from thieves and vagabonds, (and sometimes myself) by
the exceedingly large amount of noise (disorder) that
exists all around them.
Top Secret Intranet: How
U.S. Intelligence Built INTELINK—The World’s
Largest, Most Secure Network
By Fredrick Thomas Martin
Prentice Hall, 1997
ISBN 0-13080-898-9, $34.99
|
|
This is one scary book. It’s the story of Intelink, the
U.S. Intelligence Community’s worldwide super-secure intranet.
Yeah, you got it, the CIA, NSA, Defense Intelligence Agency,
National Reconnaissance Office, FBI…. Never-before-revealed
insider information written by a retired spook.
But it’s not scary because it tells us how the CIA can
peek in via satellite and see the words we’re typing on
our laptops. It’s not scary because the author reveals
the innermost secrets of top officials. There are no tales
of murder and deceit. It doesn’t tell us about fancy security
hardware or software that we haven’t imagined in our wildest
dreams. This book is scary because Martin talks about
this super-secure network called Intelink, yet it appears
not to utilize some of the very security techniques that
we would guess it should. Although he stresses the need
for secure authentication and touts the use of certificates
and smart cards, the author clearly indicates that these
devices aren’t being used widely on Intelink. “In any
case, although several pilot projects are underway that
use X.509v3 certificates for authentication, their widespread
use on Intelink as a whole has not yet been established.”
He also talks about tokens as if he were struggling with
the concept of how people will respond to using them.
“It does raise the new issue of forcing users to be watchful
of their tokens, for without them they would not be able
to access Intelink.” (Therefore, couldn’t somebody else
in their place?)
I have trouble believing that this super-secret intelligence
intranet wouldn’t use the latest gewgaws for its own protection.
Sheesh. If I can obtain a certificate and even a certificate
server at moderate cost to manage secure communications,
if I can download for free a remote administration tool
that uses encryption keys in the three digits, what super-stealthy
products might the intelligence community have to play
with? Is this really the story of the Intelink? Is there
really such a thing? Is the real product protected with
far more sophisticated tools? Is he deliberately exposing
its weaknesses? Is it not really what it appears to be?
Is the Intelink perhaps a honeypot to trap spies?
The prospect of combining intelligence information in
one easy-to-manipulate form is scary enough. I hope this
book isn’t an indication of the security readiness of
such a project.