System Security, Information Protection, and Privacy

The widespread use of computers for communications and storage of information has brought with it a host of security problems. These can be dealt with, in the widest sense of the word, at various levels. There are tools designed for ease of use by novices, but which nevertheless require high levels of engineering and programming skill to create, and there are complex tools for use in enterprise environments. The literature reflects that range: books for everyday users, for engineers and programmers, for system and network administrators, and for theoreticians. There is another class of literature, peculiar to the field, that describes the way in which attacks are mounted - and sometimes written by people who engaged in that kind of activity.

A Cautionary Tale

The case study on the right is presented in a professional text for information systems security officers. The author later describes his thoughts on the qualifications an information systems security officer should have:

" .... a formal education including at least associate degrees and bachelor's degrees in computer science, criminal justice, business, sociology, government and politics, and psychology, and at least one master's degree (MBA in international business) . Understand the world, changes in nation-states' relationships, different societies and cultures, and the impact on IE assets protection philosophies, strategies, and the like; understand the global marketplace and competitors....." [and lots more].

Not sure of what 'IE' stands for? Information Environment, which is defined as "The aggregate of individuals, organisations, or systems that collect process, or disseminate information; also included is the information itself". Now, doesn't that knowledge make you feel more empowered?

Case Study

In his book Following the Equator, Mark Twain wrote about how one can take advantage if one has information before the competitor and knows how to act on that information. At the time of Twain’s world travels, sharks populated the harbour of Sydney, Australia. The government paid a bounty on sharks. A young man was down on his luck and walking around the harbour when he met an old man who was a shark-fisher, who had not caught a shark all night. The old man asked the young man to try his luck. The young man caught a very large shark. As was the custom, the shark was disembowelled, as sometimes one found something of value. As it happened this young man did.

The young man went to the house of the richest wool-broker in Sydney and told him to buy the entire wool crop deliverable in 60 days. They formed a partnership based on what the young man found in the shark. It seems that the shark had eaten a German sailor in the Thames River. In the belly of the shark were found not only his remains, some buttons, and a memorandum book discussing the German’s returning home to fight in the war, but also a copy of the London Times that had been printed only 10 days before. At that time, news from London came by ship that took about 50 days. However, sharks traveled faster than the ships of that time. The Times stated that France had declared war on Germany, and wool prices had gone up 14% and were still rising. No other Australian wool brokers or wool producers would know that wool prices were skyrocketing for at least 50 days. By then the young man and his partner the wool broker would own all the wool, purchased at the “normal lower price,” and could ship it to Europe for a very handsome profit.

The author's wish list does not include a particularly essential quality for those engaged in protective security: a well-developed critical faculty.

The war referred to in the 'case study' would be the short-lived 1870-1871 Franco-German war. What must test even the most credulous person is the amazing feat of a shark that travelled from London to Sydney in ten days (average speed about 100 kph). And what a newspaper: able to withstand for ten days the shark's digestive processes sufficiently for it (the newspaper) to be still readable! Then there is the feat of the fisherman who, while standing on shore, casually caught and landed a "big" shark that was able to eat an adult (with his book and newspaper). Apart from those astounding feats, there are several other parts of the story that should have rung an alarm bell.

The moral is, 'believe nothing', even when it comes from someone with "over 40 years of experience in industrial security, investigations, information systems security, and information warfare in .... the U.S. Government as a special agent, .... and consultant for numerous United States and foreign government agencies .... ".

It is important to establish trust in a source before accepting, at face value, any information it offers. It is not necessary that assessment to be 'black-and-white', true/false; sources should be graded, and that is a matter for judgement. What does that mean to you as a user? A lot. Whether it is blocking spam, rejecting certain attachments, testing for virus infection, or configuring a firewall, ordinary users have to make their own judgement of trust (or distrust). So, here are some books, at different levels and with different perspectives, about how to look after your privacy and information.

The Art of Deception

".... the real cause of data security breaches [is] stupid humans" [Stephen Manes in Forbes magazine]. The strongest, most sophisticated safe provides no protection if someone forgets to lock it, or leaves the key or combination lying about.

Who remembers Kevin Mitnick? Who has heard of Kevin Mitnick? He was the FBI's most wanted attacker (they called him a 'hacker', but that's a term with other connotations), 'did time' for breaking into computer systems, and now runs an information security firm. Mitnick's success was based primarily on what is called social engineering: simply persuading someone to divulge information. Not just any information, but something that provides a key, which in turn enables a technical attack.

One of the incidents related in the introduction is that of Stanley Rifkin's theft of ten million dollars in 1978 (a lot of money in those days) from an American bank. He managed to have the funds transferred to a Swiss bank account, used a substantial part of the money to buy diamonds that he took back into America for conversion into real money. At the time it was the largest bank robbery in history, all done without a gun, clandestine entry, or even a computer. Just conversations over the telephone.

Mitnick describes a series of scenarios -many drawn from real life - and analyses each one for the benefit of those who are charged with protecting systems. The last part of the book lays out security policies under specific headings, with explanatory notes. These are concise, but contain all the detail necessary; they make up an excellent and practical checklist.

This is an entertaining read as well as a practical, comprehensive guide to security. Technology can make it more difficult for an attack to succeed, but the more humans there are in the chain of protective procedures the more vulnerable the system is. The book shows how it is done, knowledge of which is a necessary step in arriving at a solution.

If you want to be entertained, read this book. If you want to understand the threat posed by social engineering, read this book. If you want policy solutions, read this book.

Steal This Computer Book

No Starch Press is a publisher with a small list, but what they do is always interesting, useful, and done well; some of their titles are the only texts on particular subjects. This title, Steal This Computer Book, is now in its third edition. The design is eye-catching and clever: the cover is in black and white with signs of having been reproduced on an ailing photocopier, and has fingerprint smudges all over it. The pages also carry the tell-tale speckles of a sick photocopier, and page numbering is on simulated black finger smudges. The rather rough quality of the paper has been chosen to fit in with the illicit copy 'theme', as is the slighty off-horizontal alignment of chapter headings. The back cover carries a warning: "This book is not to be used for hacking into government computers, shutting down AOL, cracking software, phone phreaking, spreading viruses, or any other illegal activity".

It is a 'good read', quirky, and a valuable addition to the literature. The author has a healthy scepticism of political establishments and an remarkable capacity for lucid technical communication. For example, his explanations of how viruses work are the best I have seen for ordinary readers.

The author focuses on technical attacks, but makes the following statement by way of introduction to a discussion of The Art of Social Engineering:
"The easiest way to get into any computer is to ask someone to give you access. Naturally, computer administrators aren't going to give access to anyone who asks, so hackers just ask the people who have regular access to the computer but little interest in protecting that computer."

The book is in parts, the first of which - Information Overload (Lies, Damn Lies, and Statistics) - talks about finding information on the Internet, using the Internet for online activism, alternative sources of news and information, using e-mail to obtain pages from banned sites (an interesting Web-to-email site is www.bellanet.org), and where the hackers hang out.

Part 2 is an informative discussion of malicious code (viruses and the like), scams, invasion of privacy, packet sniffers, Web spoofing, keystroke loggers, and phishing (obtaining credit card details by deception). Part 3 is about breaking into computers (one has to know how it is done in order to protect against it). Part 4, Protecting Yourself, deals with spam, Web bugs, adware, pop-ups, spyware, how to protect your data and privacy, and even some hints on piracy. Part 5 deals with protecting the system (including firewalls, honey-pots, erasing data, and 'forensic' tools) and has an interesting account of the sophisticated methods that can be used to retrieve erased data. Appendices contain useful references and information (such as A Hacker's Gallery of Rogue Tools).

The author's approach is one of seeing the problem through the attacker's eyes. He shows how they hide their identities, create viruses and Trojans, and crack software protection. That information is the basis for the protective measures described. Want to know about port scanning and ping sweeping: it is here in easy to understand language.

A companion CD with hacking-related software and text files is available for purchase (US$4.95) and there is a supporting Web site.

Exposing Cryptovirology

Malicious Cryptography is an example of a 'high-end', highly technical topic that has, so to speak, been translated into language that informs, and warns, designers and counter-designers of information and integrity protocols. The work was the subject of a doctoral thesis, has been published widely in professional journals, and has been presented in a number of papers at professional conferences (for example, at the Eighth Australasian Conference on Information Security and Privacy). It is not light reading, but is a tour de force in technical communication.

The term, cryptovirus, means "a computer virus that contains and uses a public key", and has given rise to other terminology, such as cryptovirology, kleptogram (which is the vehicle for delivering a cryptovirus), and cryptotrojan.

Imagine an enterprise (or even government) database being held to ransom; it is suddenly discovered that the whole, or vital parts of, the database have been encrypted in a clandestine attack that has left nor trail back to the offender(s). For a fee (which may not necessarily be in money) the extortionist will provide the key to decryption and restoration of the database. Imagine the same cryptographic techniques that are used to protect a password being used to steal it. Imagine a virus that "can be used to steal CPU time to try to factor composites, compute discrete logarithms, and so on". The methods turn public key encryption against itself.

There is no evidence that such an attack has been mounted, but it is common for enterprises to conceal successful attacks on their respective systems. It has, however, been demonstrated in the laboratory that such attacks are feasible, and not just a theoretical threat.

Everyday virus authors and crackers will not, unless well versed in crypto, have the skills to apply the methods. Ordinary computer users shouldn't lose too much sleep over any immediate threat to their respective systems, but the potential threat at the enterprise level is significant. The risk of compromise of off-the-shelf cryptosystems needs to be re-assessed. Issues related to detection are discussed, but in the context of cryptographic techniques. An interesting question of liability is raised by the authors: "Can users be liable for not finding bugs in their software and fixing them? Can companies be liable for selling or distributing buggy software?".

Anyone with an interest in cryptographic methods will find this an interesting and informative text; the authors have done a good job of making a highly technical subject comprehensible to informed readers without any formal crypto background, but who are able to appreciate the maths.

Security Warrior

The sub-title of this book is "Know Your Enemy", which reflects its approach to information security: the best way to defend yourself is to understand your attacker in depth. It is a text designed to supplement the regular literature that information security practitioners will have read. However, even though an understanding of programming and networking is assumed, informed readers without that kind of knowledge will find much of it interesting, easy to read, and even entertaining.

Windows and Linux/UNIX operating systems are equally covered. On the Windows side, CE is given particular attention because it "powers many Windows mobile OS flavours such as PocketPC and SmartPhone" and "for better or worse, CE is set to become one of the most prevalent operating systems . thanks to aggressive marketing tactics by Microsoft. In addition, because of their closed nature, Windows platforms usually see the majority of viruses and unethical corporate spyware". WinCE is a scaled-down version of Win2000/XP, both of which are also discussed in detail.

The first part of the book, Software Cracking deals with reverse engineering (also called reverse code engineering), which is used as a cracking tool. It is also a valuable tool for testing a system for vulnerabilities.
There has been little literature on reverse engineering in the context of information security; the authors take the view that knowledge of cracking techniques is essential to mounting a defence. In this part there is a detailed discussion of reverse engineering Windows, Linux, and WinCE.

Part 2, Network Stalking, deals with methods - including social engineering - of gaining access to and reconnoitering networks in order to explore attack possibilities. A chapter in this part explains how crackers hide their tracks.

Part 3, Platform Attacks, is particularly interesting for its descriptions of attack techniques in respect of UNIX and Windows, such as a possible method of cracking Kerberos authentication on Windows Server. Amongst other topics is an informative chapter on wireless security that includes topics such a signal drift, cracking WEP, and wireless sniffing.

Part 4, Advanced Defence, discusses the analysis of audit trails, intrusion detection systems, incident response, forensic and antiforensic tools, and honeypots (a honeypot is a dummy machine set up to observe intrusion and cracker attacks).

A very well written, comprehensive text that contains useful references, and details of software tools (and where they can be found). An essential resource for those responsible for information security.

Best Damn Firewall Book Period

The title of this big book (almost 1300 pages) has a bellicose ring to it; however, in spite of sounding like an exaggerated claim, it is probably the most comprehensive and detailed text on firewalls for all platforms. Written for system and network administrators, the book is also a valuable resource for anyone who needs to develop a knowledge of firewall technologies. Syngress is well-known for its certification course texts and this title is written in the didactic course-text style. It uses straightforward language that directly addresses the reader. The explanatory discussions of information security concepts and technologies are well presented and suitable for newcomers to the subject. A very detailed table of contents should be a great help in locating specific topics.

The book is in six parts, the first of which is an introduction to security concepts, firewalls, and intrusion detection systems; it also discusses DMZ concepts, layout, and design.

The other parts of the book each deal with the installation and configuration of specific products for specific platforms. A remarkably detailed and wide ranging coverage of firewall technologies and installation/configuration issues.

Information Security Guide

The Information Security Officer's Guide is designed to be an "overview of the InfoSec professional's world, duties, responsibilities, and challenges".

This book is a valuable resource because it examines the total field of information security in a manner that serves both the professional reader - whether practitioner, student, or teacher - and the lay reader who has a stake or informed interest in the subject. It provides concise, non-technical discussions of the role of information security personnel and the issues that have to be addressed in respect of information protection. Many readers of PC Update will fall into the 'informed lay reader' category, and some of them will have some kind of stake in information security; the following comments about the book are designed for them.

It is important to appreciate the threat so as to assess a particular risk. For many users the greatest risk is catching a virus, for others a breach of privacy could have serious consequences, and others need to protect financial records and the means of access to bank accounts and the like. Managers and executives, even though not directly charged with a security role, need to inform themselves of the issues in order to make intelligent decisions (and not be snowed by some slick service provider). The book provides a sound overview of the kinds of threat and how they are dealt with, albeit at an enterprise level.

Security is not a static state. It is not like a safe that, once purchased, can be expected to provide protection without further attention. Security systems, no matter how large or small, need to be re-assessed at regular intervals.

For an insight into planning, acquiring, setting up, and maintaining a security system this is a valuable resource. Because the book does not deal with issues at a technical level, it is easy to read. It is non-technical in the sense that cryptography algorithms, programming, and the like are not discussed.

Small-to-medium businesses often see themselves as facing a threat that is in proportion to their size: if my business is one millionth the size of Telstra, then my risk is proportional. It's not that easy. Every business should consider the worst-case consequences of a security breach or system break-in. Most information security literature is about technical measures to detect and protect; this is one of the few texts that has discusses risk assessment and management.

Hack Attacks Encyclopedia

In the library is a copy of John Chirillo's Hack Attacks Encyclopedia, which is probably the most comprehensive library of material used by crackers, phreaks, and those engaged in the penetration of networks. It is not a book for reading in the ordinary sense, but has an extensive glossary and abstracts of an enormous number of files. Fully detailed information is contained on a companion CD. An important resource for anyone researching the subject.

By the same author, and recently released, are Hack Attacks Revealed (a complete reference with custom security toolkit) and Hack Attacks Denied (a step-by-step guide to stopping crackers in their tracks). These are published by Wiley at $92.95.

Reprinted from the October 2004 issue of PC Update, the magazine of Melbourne PC User Group, Australia

[ About Melbourne PC User Group ]