Beautiful security, 1st edition. By Andy Oram and John Viega. OReilly Media Inc, 2009.
I have read another security book which a notable security expert John Viega has co-edited (the previous one is The Myths of Security). This book offers a comprehensive analysis of the today’s security, its problems and offers ideas for improvement. A number of people have contributed toward this book which makes it a lot of fun to read. Each chapter is written in its special style. This book is a potpurri of security topics.
In Chapter 1 the book mentions a number of reasons why security is so difficult to adopt in modern software lifecycle. The reasons are: learned helplessness, naivete, confirmation traps, and functional fixation. Examples are probided for each problem. It turns out that Microsoft has messed up a great deal with its network authentication protocols trying to preserve backward compatibility. As a result, an improved version of the network protocol was still carrying the features of the previous weaker version and the improvement was therefore nullified. Another great example was when a company which was undergoing security audit has successfuly exploited vulnerabilities in the scanner that the auditor was using. This way they were able to demonstrate that the auditor was not competent enough to audit their organization.
Chapter 2 is dedicated to the wireless networks. The books describes how easy it is now to earn money through faked wireless networks in public areas such as airports. Also wireless networks are very dangerous in corporate world because employees tend to use their personal unprotected wireless-enabled devices to access the intranet which opens lots of possibilities to road warriors. Shocking stuff which makes you think why are we still using wireless.
Chapter 4 sheds light on the underground security economy. This includes prices typically offered for producers of malware and owners of botnets. It is so detailed that it makes me wonder how the author got all this information himself.
Chapter 5 raises a well know problem of using credit cards in the Internet and the dangers of privacy breaches. A new scheme for Internet commerce is proposed. Its corner stone is the idea of using virtual or one-time credit card numbers. This idea has already been implemented in few banks but many users are either unaware of it or don’t consider it a threat big enough to sustain the overhead that it imposes (need to log in to the banking site to generate one-time number every time you make a purchase on the Internet). Obviously, one the biggest challenges that the community needs to address is removing this overhead.
Chapter 6 deals with online advertising. I never thought that it is such a battlefield for both white hats and bad guys! Everybody has heard of click fraud when advertising agency is the victim. What is surprising is that there are lots of malicious advertising agencies which employ a number of forms cheating, for example placing ads on top of each other with different z-values or displaying your ad only few seconds and then replacing it with another ad (indeed, your agreement probably does not mention how long the ad will stay visible because you think that it is as long as the user stays on the page) and so on. Then the book mentions several forms of online advertising: pay per view, per click, and per transaction (the last one means that the user has to buy something before advertiser pays to the agency). Even the most secure form pay per transaction is vulnerable to realistic attacks when a gang of malicious buyers buys things only to return them immediately to the shop! I could never imaging that this was possible but the book claims that the number of buying gangs is growing.
Chapter 7 – great overview of history of PGP and web of trust (I am running out of space to go into greater detail).
Chapter 8 – honeyclient. The book claims that client exploits are more dangerous than server-side because it takes longer to fix the former. Honeyclient was an academic idea which has grown into a useful product! It employs a number of virtual machines running unprotected Windows and visits various suspicious sites. When a change in the state of OS is detected (registry, file system) an alert is triggered.
Chapter 9 – new ideas for security industry. Mentions the need for better cooperation using social networking.
Chapter 10 explains how to integrate security into developing practices. Every stage of the process needs to incorporate security. A common mistake is to address only one stage, for example development and then expect overall improvement – not necessarily the case. Microsoft spent its 2 billion dollars not only running a source code analyzer on Windows but rather re-engineering the whole development cycle.
All right, lets skip a few chapters…
Chapter 13 explains the importance of logging and provides one real-life example of how an FTP server was hijacked. I was surprised to find out that many large organizations are still using FTP servers with a world-writable incoming directory. This opens them to bad guys who use such servers as illegal file shares. Only thorough logging can detect such uses. How do we sift through millions of log records?
Chapter 14 claims that the detection rate of modern IDS is only 32%. What a shocking number! This is due to limitation of signature-based approaches. A better idea is to use behavior-based methods which requires taking context into account to separate false negatives and false positives. For example, if a mail server makes 100 outgoing connections is it an indication of its being owned? Is it sending spam as a zombie? If yes, we need to stop the server immediately. If no, stopping it could disrupt the functioning of a large enterprise. What are normal activities of a mail server, a file server, etc? Machine learning algorithms are becoming useful.
Chapter 15 presents a new framework for secure databases. However, it is not based on encrypting tables using DBMS facilities. Instead, the data translucency approach stores encrypted versions of sensitive data such as user names. The key is generated from user name and password which makes it possible to identify the data belonging to a particular user. But the database still operates on the encrypted data.
Finally, Chapter 16 describes a framework for desktop security based on machine learning, snapshotting, and fast reboots. I recall that several years ago this idea was published in a paper from Stanford University researchers (Armando Fox).