Roberta culls her considerable library to bring you some of the best and worst that’s been published on her favorite topic.

Armchair Security

Roberta culls her considerable library to bring you some of the best and worst that’s been published on her favorite topic.

• By Roberta Bragg
• 01/01/2000

Many of you have written to me asking for advice. Sometimes it’s the generic, “I’d like to break into the security field—what would you advise?” request, and sometimes it’s a specific problem you’re trying to resolve. But occasionally you ask, “What books do you suggest I read?” Sensing a fellow glutton for punishment, I usually refer you to my latest discovery or advise you to visit your favorite bookstore, empty the shelves of all security-related books, commandeer a reading table and chair, and dig in. Thus, you can select the books that speak to you. (When online bookstores offer this luxury, I’ll probably spend more money there.) Many of you, however, haven’t the time nor inclination to do this; or maybe you’re not ready to dive into some obscure tome that’s my current bedside companion. In tribute to these latter groups, I herein offer these pointers to finding useful security books.

Although this classic book was published eons ago in 1995 (in Internet years; 1 human calendar year equals 20 Internet years), it remains my first choice and the most recommended book on firewalls.Thirteen chapters discuss topics from A to Z and include “Why Internet Firewalls,” “Security Strategies,” “Firewall Design,” “Bastion Hosts,” “Authentication and Inbound Services,” and “Responding to Security Incidents.” The appendix covers TCP/IP fundamentals.

The book assumes you’re working with a Unix host, but most of the information is also relevant to Windows NT. I especially like Chapter 3, which details basic security concepts such as least privilege (only give privileges that are necessary to do assigned tasks and no more), defense in-depth (install multiple mechanisms that back each other up), choke point (force attackers to use a narrow channel), and weak point (know the weak points in your defense and take steps to eliminate them). It also covers fail-safe stance (sooner or later systems fail—when they do, they should fail in ways that deny attackers access), universal participation (security is everyone’s business), diversity of defense (use security systems from different vendors), and simplicity (if you can’t understand something, how do you know it’s secure?).

The chapters on building firewalls include information on design, packet filtering, proxying, and configuring Internet services. Want to know the packet filtering characteristics of NNTP or http? How about, “What can a malicious server do to your http clients?” Want advice on what to allow or not allow? (“The best way to allow IRC is to put an untrusted victim machine with no confidential data on it on a perimeter network and let users log into that machine to run IRC.” If you know nothing about firewalls, start with this book. If you know something about firewalls, read it. If you’re a firewall guru, read it, then recommend it.

Just the title will get you to buy the book, won’t it? Can DES (Data Encryption Standard) be cracked? Well, of course, you answer, it’s been done already (in 1997 and 1998, in 5 months and in 39 days, respectively). This book, however, outlines specifications for building a computer out of custom chips that would extract DES keys in days at reasonable prices, or hours at higher prices. The game, as outlined by the authors, has changed. It’s no longer a question of whether DES can be cracked (keys extracted) but rather “…a question of how cheaply they can be extracted and for what purposes.”

Most of the book is spent outlining the technical details of the Electronic Frontier Foundation’s research project to build a machine to crack DES. (EFF, at www.eff.org, is a non-profit public-interest organization devoted to protecting rights and promoting liberty online.)

The most fascinating part of the book for most of us, however, will be the section devoted to the politics of decryption. Decryption, as you recall, is the process of reading information that has been encrypted by finding and using the key that was used to encrypt it. Finding the key (called exhaustive or brute force search because one key after another is tried until the correct one is found) is the job of this machine. What can be political about that?

According to the authors, government agencies have a huge investment in protecting DES’ reputation. Statements are often made that it would take thousands of computers weeks or years to crack a single DES-encrypted message, when in reality, reputable scientists have calculated much shorter times. Why? The somewhat paranoid theory goes something like this. If business is lulled into using a weak key, then government agencies will be able to more easily compromise it. The success of this strategy, the authors say, relies on keeping industry and the public misled about DES’ security. In fact, they go further, claiming a deliberate promulgation of dis-information to prevent the adoption of stronger standards than DES and to encourage law and policy makers (Congress and the President) to require “key recovery” to support law enforcement. Key recovery is the policy that would require computer companies with encryption capabilities in their products to give the government the capability of compromising data encrypted through their product.

The authors and their team (10 part-time people) built their DES-cracking box for $210,000 (this included design, integration, materials, building, and testing) in 18 months. Buy this book and you can build your own, probably for a lot less. Buy it to learn (complete C code for the software included!). Buy it for your pre-teen daughter, who may just build a DES-cracking machine for her high school science fair project.

This author has a history. Try to learn something about intrusion detection—indeed, about security—and you won’t escape his name. Northcutt is the original developer of the Shadow intrusion detection system, a former head of the Department of Defense’s Shadow Intrusion Detection Team, and currently Chief Information Warfare Officer for the U.S. Ballistic Missile Defense Organization. In this action-packed volume (well, it’s not exactly a spy thriller or shoot-‘em-up), Northcutt details the process and paradigm of intrusion detection. Intrusion detection “…is not a specific tool, but a capability, a blending of tools and techniques.” As a teacher, nay, mentor or budding intrusion detection analyst, you’ll be led step-by-step into his world—the book becomes your reference and training manual.

It starts with a detailed analysis of the famous Kevin Mitnick attack. Here you learn about SYN Flooding, how the attacker covered his tracks, identified trust relationships using simple Unix commands and network traces, and went on to use TCP hijacking to gain confidential information. You’ll also learn how the attack could have been thwarted, and how it could have been detected at several points in the attack. Furthermore, Northcutt challenges you to use detection of this attack as a lowest-level threshold of intrusion detection capability. If your tool can’t reliably detect this attack, it’s not an intrusion detection tool, he says, it’s merely “…something that runs, whirs, and chips, and gives us the warm, numb feeling of security.”

Reading this book is to be seduced into late nights of discovery. Northcutt is the pied piper and I’m a child skipping after him out of town (OK, so I’m a little weird). His melodies speak of recon probes, scans, TCP wrappers, tripwire, IMAP, Back Orifice, Netbus, pathological fragmentation, FTP bounce, filters, and more. Specific attacks, their signatures, and filters to detect them are detailed, as well as how to write your own filters. Legal advice for the budding analyst is also given: “STOP! Take your hands off the keyboard and back away from the computer. Just because you can do something doesn’t mean it’s a good idea.”

The building of an intrusion detection system is covered and can help you in evaluating commercial solutions. Chapters 6 through 8 examine network traces. If you’re a TCP aficionado, these allow you to discover the signatures of attacks in progress; for gurus-in-training, a first study will teach a lot about IP. Later examination and study will reveal the attack signatures. Read it twice, and then read it again.

Did you know that switched networks are a major challenge for intrusion detection? Or that most intrusion detection systems on the market are full of false positives? What about how difficult it is to determine the difference between scanning for vulnerabilities and carrying out the actual attack? Would you like to know how ISS RealSecure functions under common attacks? How about a professional’s insight into other commercial intrusion detection products?

If intrusion detection is of interest to you, this book will get you started and keep you occupied. Buy it. Study it. Digest it. Use it. Or risk being written up in a future Northcutt book.

This book is now two years old. Is it still relevant? Its 642 pages address topics ranging from “Understanding the Risks,” “Understanding and Using Firewalls,” “Identifying and Defending Against Some Common Hacker Attacks,” to “Using Kerberos Key Exchange on Distributed Systems.” But the book also contains many pages on basic knowledge (40 pages on basic TCP/IP and networking knowledge—star bus and ring topology, anyone?—and information that dates the reference (IIS 4.0 beta available for download).

However, the book doesn’t seek to be a pontifical tome that challenges security, TCP/IP, or other information system experts. It’s written for the general public, and for IT professionals who have an interest in these issues but haven’t spent much time studying them. Clear, simple explanations step you through the basics and prepare you for further understanding. If you’re beginning your career in information systems, if you feel you have gaps in your understanding, then this book may be for you.

This book is set apart by its intention. Gollmann, who now works for Microsoft, took his notes from five years of teaching computer security at the University of London and produced what was intended to be a textbook. After an introduction to the fundamentals, you’ll find sections on NT and Unix, distributed systems (Web systems included), and theory. It’s meant for self-study or formal course presentation. What intrigued me, an instructor, about this book is the fact that teaching materials are advertised as available online. Unfortunately, I haven’t been able to connect to the advertised site.

Ever notice that books have an atmosphere, a certain je ne sais quoi? Furthermore, ever notice that academic books have as their atmosphere a respite for insomniacs? This book is guaranteed to scale a 9 on the yawn factor. Witness:

“…a set of subjects S; a set of objects O; the set of access operations A = (execute, read, append, write} that directly mirror the access rights… a set L of security levels with a partial ordering £ .B = R(S x O x A) is the set of current accesses.”

or:

“An element b Œ B is a collection of tuples (s,o,a), indicating that subject s currently performs operation a on object o...”

Sure, there’s some good information here, but like most academic material, it was never meant to intrigue my rather common mind. (Apologies to my thesis professor, Gordon; I know it just precisely defines things for you PhD types.) Personally, I think I can grasp the concepts—and even put them into play—without the above. But I’d love to hear what you think about this book. Be the first reader to let me know you’re interested and I’ll mail you my copy.

Those of us in the systems administration field are intent on making things happen. Some of us who like to consider ourselves security-conscious are intent on keeping things from happening. Then there are the information systems auditors intent on assuring that only the correct things have happened. Who’s responsible for making sure we can all do our jobs and that the protection from things that shouldn’t happen doesn’t get in the way of the things that need to happen? It’s the followers of the profession of information security, and this book outlines what they should know and do.

In my September 1999 column, “Become the Consummate Certified Security Professional,” I told you about the Certified Information System Security Professional (CISSP) title and the bear-of-an-exam that had to be passed to obtain that certification. This book can be thought of as the study guide for that test. No fancy cover, no title that screams of a quick and dirty way to assure yourself prosperity, no CD with a practice exam. You’ll see few charts and graphs, no funny faces or attention-getting icons, no “notes” that repeat what was said in the paragraph above. Instead, you get 10 subject domains that match those covered on the exam—excuse me—examination.

If you’re serious about information security, even if you choose not to pursue certification, this is the book to get. It covers access control, telecommunications and networking security, disaster recovery, security management, security architecture, law, ethics, application development security, cryptography, computer operations security, and physical security. Although this is a serious book, it’s not hard going. You’ll find yourself rapidly progressing through areas you’re familiar with, while paying attention to the less familiar. You’ll find generally accepted solutions to security issues as well as plenty of ideas to help make your systems more secure.

Take the section on “Protecting the Portable Computing Environment.” While most of us have thought of the dangers of traveling with corporate data on our laptop, have you been concerned with shoulder-surfing travelers who might learn your remote access logons? Are you aware that many wireless networks don’t encrypt the logon and password? What about the danger of sharing the company laptop? Will users always remember to destroy files they’ve saved to the hard disk? Is it possible someone might recover that data even if it’s deleted? If you leave your laptop in a hotel room and it’s stolen, do you lose more than the cost of the laptop? The module ends with a list of suggestions for securing laptops. This compilation includes the use of data encryption, encrypted logons, not storing the password on the hard disk, biometric or other enabling devices, and the use of plain and simple 3.5-inch disks while on the road, which can be locked in a safe during your stay.

Let’s see…Tons of detailed information. “Management’s Role in Computer Security,” “Employment Policies and Practices,” “Legal Issues in Computer Security,” “Computer Crime and Computer Criminals,” “Auditing Computer Security,” “Penetrating Computer Systems and Networks,” “Security of Computer Data, Records and Forms,” and the list goes on. Then the appendix starts. This book is for managers—I can see it being used for a graduate-level course—but is the information useful to those of us in the trenches?

If you like checklists, this book’s got ’em. There’s the Employee Security Checklist, the Contingency Planning Checklist, the Security Environment Survey Questionnaire, the Legal Checklist, the Hardware Security Checklist, the Virus and Related Threats Checklist, the Data Communications and Networking Checklist, the Data Encryption Checklist, the Security of Computer Data Checklist… Need I go on?

Want a history and evolution of computer-related crime? In the 1960s and 1970s, the number of reported computer-related incidents (vandalism, theft, fraud, and unauthorized use or sale) never exceeded 100 a year. (Of course, how many computers did we have in those decades?) Did you know that the typical computer criminal is male, white, young, (ages 19 through 30), and has no previous criminal record? (Well, duh, aren’t most computer professionals male, white, young, without previous criminal record?) My opinion: Get this one if you’re a manager or consultant, the checklists alone will justify its price; get other books for the details.

If all our efforts focus on preventing others from access to our innermost secrets, doesn’t it hold true that they’d have to find them first? I’m not talking about placing data within a labyrinth of disks and files and protecting it with the latest in security technology, I’m talking about making data disappear. Peter Wayner suggests we can. He says we can hide messages within the noise of the images and sound files that float around the Internet. He claims an eighth of an image file can be used to hide information without changing the quality of the image. Better yet, turn data into the voice-over to a baseball game. To most people listening, it’s a broadcast. To the initiated, it’s a message. How is this steganography (disappearing cryptography) done? Each chapter in the book describes a technique, and there’s code at the end of the book to implement some of it.

Take, for example, the baseball game voice-over. Just how would you hide information in such a scenario? Easy, the author says. Each sentence of the production can be converted into 1s and 0s. If the announcer says, “Here’s the pitch. Nothing on that one,” or “Here comes the pitch—it’s a curvaceous beauty,” the nouns and verbs can have assigned bits. The result might be 1101 and 0011, respectively. Get the drift? To find the true message, you have to know the assignments. Listen to the broadcast, write down the bits, then translate the bits by some pre-agreed upon formula. To create the message, you have to agree to the bit assignments, then run the message through a program that’s been designed to produce baseball voice-over type sentences from a string of bits.

The technique I liked best is based on hiding your secrets among the noise. When pictures or movies are digitally encoded, a certain amount of meaningless noise—extra bits—get in the mix. Why not use these extra bits, since no one cares about them? You could change them to hold your message. Most people strain to filter the noise from the recording; your receiving partner will filter the recording from the noise. Hiding things in noise is actually one of my specialties. After all, there are all kinds of valuable things right in plain view in my house, but they’re hidden from thieves and vagabonds, (and sometimes myself) by the exceedingly large amount of noise (disorder) that exists all around them.

This is one scary book. It’s the story of Intelink, the U.S. Intelligence Community’s worldwide super-secure intranet. Yeah, you got it, the CIA, NSA, Defense Intelligence Agency, National Reconnaissance Office, FBI…. Never-before-revealed insider information written by a retired spook.

But it’s not scary because it tells us how the CIA can peek in via satellite and see the words we’re typing on our laptops. It’s not scary because the author reveals the innermost secrets of top officials. There are no tales of murder and deceit. It doesn’t tell us about fancy security hardware or software that we haven’t imagined in our wildest dreams. This book is scary because Martin talks about this super-secure network called Intelink, yet it appears not to utilize some of the very security techniques that we would guess it should. Although he stresses the need for secure authentication and touts the use of certificates and smart cards, the author clearly indicates that these devices aren’t being used widely on Intelink. “In any case, although several pilot projects are underway that use X.509v3 certificates for authentication, their widespread use on Intelink as a whole has not yet been established.” He also talks about tokens as if he were struggling with the concept of how people will respond to using them. “It does raise the new issue of forcing users to be watchful of their tokens, for without them they would not be able to access Intelink.” (Therefore, couldn’t somebody else in their place?)

I have trouble believing that this super-secret intelligence intranet wouldn’t use the latest gewgaws for its own protection. Sheesh. If I can obtain a certificate and even a certificate server at moderate cost to manage secure communications, if I can download for free a remote administration tool that uses encryption keys in the three digits, what super-stealthy products might the intelligence community have to play with? Is this really the story of the Intelink? Is there really such a thing? Is the real product protected with far more sophisticated tools? Is he deliberately exposing its weaknesses? Is it not really what it appears to be? Is the Intelink perhaps a honeypot to trap spies?

The prospect of combining intelligence information in one easy-to-manipulate form is scary enough. I hope this book isn’t an indication of the security readiness of such a project.