Saturday, 2 January 2010

Book Review: Beautiful Security

Leading Security Experts Explain How They Think

Andy Oram & John Viega (editors)

Nineteen experts in the field contribute sixteen chapters, comprising a far-reaching discussion of the techniques, technology, ethics, and laws at the centre of the present network security revolution. It's a thought-provoking anthology of the bold and extraordinary methods used to secure computer systems in the face of ever-increasing threats. These writers are the selfsame people who have found unusual solutions for writing secure code, designing secure applications, and addressing modern challenges such as wireless security and Internet vulnerabilities - then hacking into them.

The book covers the new and more aggressive security measures being contemplated and utilised today, and what they are leading to. Examples include: "rewiring" the expectations and assumptions of the organization, regarding its security; evolution and new projects in Web of Trust; legal sanctions to enforce security precautions; security as a design requirement; an encryption/hash system to protect user data; attack detection; and the criminal market for stolen information. Or as the back cover has it,
Beautiful Security explores this challenging subject with insightful essays and analysis on topics that include:
  • The underground economy for personal information: how it works, the relationships among criminals, and some of the new ways they pounce on their prey;
  • How social networking, cloud computing, and other popular trends help or hurt our online security;
  • How metrics, requirements gathering, design and law can take security to a higher level;
  • The real, little-publicized history of PGP.
That last item, incidentally occurring about halfway through the book, is one of the best, and the most technically and historically accurate, short-form accounts of the origin and evolution of the Web of Trust on record. Also beautifully illustrated (with added XKCD!), it's a true gem.

The following comprises a more detailed review of the first half of the book, in terms of number of pages, chapters, and contributing authors.

Chapters and Authors

Logically enough, Peiter "Mudge" Zatko (blog), ex-leader of the hacker think tank known as The L0pht, ex-Cult of the Dead Cow, the inventor of the buffer overflow exploit (and the man who once told the U.S. Senate that he could take down the internet in 30 minutes), provides the first chapter dealing with broad security and related matters, including sociology and psychology, while asking where vulnerabilities emerge from. Examples of the exploits which are examined include of course the notorious LANMAN hash legacy cockup, that led to Microsoft enabling the L0phtCrack (although there is certainly sufficient balancing material implicating other systems and organisations: Unix, Apple).

Jim Stickley follows up with a piece on the special vulnerability of wireless networks, pointing out the various ways in which Wi-Fi undermines organizational security. TJX gets its first mention here, as that leak of between 36 million and 200 million credit card numbers was wholly facilitated by unprotected wireless access points. Jim also notes that a least nine other organizations succumbed to the same hack (see TJX Hacker ‘Will Never Commit Any Crime Again’ in Wired magazine for a fairly recent update and some fascinating background on those cases).

Then, Dr Elizabeth A. "Betsy" Nichols takes up the story of security metrics, again using that TJX example, but also adding in those of Barings Bank, and of the more general phenomenon of ATM fraud, to demonstrate surgically how the careful application of such metrics can lead to prevention and/or early detection in such cases. An enlightening demonstration of the judicious application of hindsight in security process and strategy improvement, this chapter alone is worth the cost of the book. Required reading, Dr Nichols's contribution - double the average chapter length of 15 pages - stands out as a learned introduction to a brand new, interdisciplinary field of academic study.

Chapter 4 finds Dr Chenxi Wang reflecting on the underground economy of security breaches. She analyses the players or "actors" in this community into a handful of categories or interlocking roles: malware producers, resource dealers, information dealers, criminals (including fraudsters and attack launchers), and cashiers. Each of these and its environment is then further analysed, showing the workings of this dark network of support and trade. Finally there are a few suggestions on how to encourage collaboration and combat this growing underground economy.

Orbitz Worldwide VP Ed Bellis contributes an analysis of e-commerce security, exposing its fundamental flaws, its "overly broad and ultimately unnecessary" assumptions, and the patches that have been applied to it historically, including such "weak amelioration attempts" as the CV2 security code. There follow several informative evaluations of more ambitious protocols like Visa's 3-D Secure, and Visa/MasterCard's SET Certificates, which have proven unwieldy in practice; and Virtual Cards, which recently have fared better. Ultimately though, his proposal for a completely new (yet built with familiar components), simple, efficient, effective, beautifully scalable e-commerce security model, based on solid requirements - and just to spoil you, presented pictorially - is what brings you that rewarding moment of insight.

A well-known consumer champion in the arena of online advertising, Professor Ben Edelman brings his Harvard Business School expertise to bear on "malvertisement" banner ads, click fraud, spyware and adware, showing samples of the hundreds of online advertising scams he's uncovered over the past five years, explaining their background, their operation, and what regulators and ordinary users can do about them. Uniquely, he also goes into some detail about the legitimate advertiser's vulnerabilities and concerns, including the implications of fast per-click payment, and accountability.

Phil Zimmermann (left), creator of email encryption package Pretty Good Privacy (PGP), and Jon Callas (right), cofounder and CTO of PGP Corporation, co-wrote chapter 7, which was already marked out for special mention above: The Evolution of PGP's Web of Trust. Technically detailed without being reductively mathematical, and historically accurate yet apolitical, this must be the best ever (layman's, short) introduction to the key (sorry!) concepts, definitions and derivations of public key cryptography. Infused with real drama, IP infighting, government involvement and patent wars, the chapter closes with its own self-contained lists of references and areas for further research.

Back to client exploit detection now, where scientist and information security engineer Kathy Wang is our guide to honeyclients - systems that can monitor the behaviour of potentially vulnerable client software, such as web browsers, when driven to potentially malicious websites. In keeping with this book's determination to use only the very best writers on a given subject, we are unsurprised to learn that Kathy designed the very first honeyclient prototype in 2004. She describes the evolution of the form, through 2nd gen, using VMWare hosting Windows XP in Linux, giving examples of actual operational results, and ending with analyses of these, the limitations of current designs, and future developments including P2P.

And So On...

The above material covers just over half of the book in terms of page, chapter and author count. I stop here for the rather trivial reason that the next author in sequence, while certainly an equally prominent figure on the web, is not well represented by readily available images, and so breaks my format.

Rest assured that you'll find the quality of the second half of the book equally high, and the variety of its content equally diverse and surprising.

About The Editors

The achievement of an anthology of this consistently high quality is only possible with good editors, who (1) know great writing when they see it, and (2) recognise the most contemporary material, and so know what must be included. These duties are shared and admirably carried out by Andy Oram, an author and publisher of long standing at O'Reilly, and John Viega, CTO of the SaaS Business Unit at McAfee, previously their Chief Security Architect. To the list of their successes must be added one of the most important decisions about this anthology, namely to present the various stories in a sequence providing "an engaging reading experience that unfolds new perspectives in hopefully surprising ways." This clever decision enhances enjoyment of the fascinating material even more.

Ah, One Last Thing...

All royalties from sales of this book are donated to the Internet Engineering Task Force (IETF), whose stated goal is to "Make the Internet work better". So if we were still in any doubt, this final fact should convince us that Beautiful Security is by far the best and the coolest book on this subject that has ever been assembled.

Even if, in one kaktosophobic colleague's opinion, it also has one of the ugliest of covers.

Beautiful Security
Leading Security Experts Explain How They Think
Andy Oram & John Viega (editors)
O'Reilly Media Inc
6 May 2009
ISBN-10: 0596527489
ISBN-13: 978-0596527488

Coming soon, to a coffee table near you...

No comments:

Post a Comment