book

Secrets and Lies: Digital Security in a Networked World, 15th Anniversary Edition

Name: Secrets and Lies: Digital Security in a Networked World, 15th Anniversary Edition
Author: Bruce Schneier
ISBN: 9781119092438

by Bruce Schneier

March 2015

Intermediate to advanced

448 pages

12h 13m

English

Wiley

Read now

Unlock full access

Cover Page
Title Page
Copyright
Dedication
Contents
Foreword to 2015 15 th Anniversary Edition
Introduction from the Paperback Edition
Preface
About the Author
CHAPTER 1: Introduction
STEP ONE: ENFORCE LIABILITIESSTEP TWO: ALLOW PARTIES TO TRANSFER LIABILITIESSTEP THREE: PROVIDE MECHANISMS TO REDUCE RISKADDITIONAL BOOKSFURTHER READING

PART 1: THE LANDSCAPE
CHAPTER 2: Digital Threats
THE UNCHANGING NATURE OF ATTACKSTHE CHANGING NATURE OF ATTACKSPROACTION VS. REACTION
CHAPTER 3: Attacks
CRIMINAL ATTACKSPRIVACY VIOLATIONSPUBLICITY ATTACKSLEGAL ATTACKS
CHAPTER 4: Adversaries
HACKERSLONE CRIMINALSMALICIOUS INSIDERSINDUSTRIAL ESPIONAGEPRESSORGANIZED CRIMEPOLICETERRORISTSNATIONAL INTELLIGENCE ORGANIZATIONSINFOWARRIORS
CHAPTER 5: Security Needs
PRIVACYMULTILEVEL SECURITYANONYMITYPRIVACY AND THE GOVERNMENTAUTHENTICATIONINTEGRITYAUDITELECTRONIC CURRENCYPROACTIVE SOLUTIONS
PART 2: TECHNOLOGIES
CHAPTER 6: Cryptography
SYMMETRIC ENCRYPTIONTYPES OF CRYPTOGRAPHIC ATTACKSRECOGNIZING PLAINTEXTMESSAGE AUTHENTICATION CODESONE-WAY HASH FUNCTIONSPUBLIC-KEY ENCRYPTIONDIGITAL SIGNATURE SCHEMESRANDOM NUMBER GENERATORSKEY LENGTH
CHAPTER 7: Cryptography in Context
KEY LENGTH AND SECURITYONE-TIME PADSPROTOCOLSINTERNET CRYPTOGRAPHIC PROTOCOLSTYPES OF PROTOCOL ATTACKSCHOOSING AN ALGORITHM OR PROTOCOL
CHAPTER 8: Computer Security
DEFINITIONSACCESS CONTROLSECURITY MODELSSECURITY KERNELS AND TRUSTED COMPUTING BASESCOVERT CHANNELSEVALUATION CRITERIAFUTURE OF SECURE COMPUTERS
CHAPTER 9: Identification and Authentication
PASSWORDSBIOMETRICSACCESS TOKENSAUTHENTICATION PROTOCOLSSINGLE SIGN-ON
CHAPTER 10: Networked-Computer Security
MALICIOUS SOFTWAREMODULAR CODEMOBILE CODEWEB SECURITY
CHAPTER 11: Network Security
HOW NETWORKS WORKIP SECURITYDNS SECURITYDENIAL-OF-SERVICE ATTACKSDISTRIBUTED DENIAL-OF-SERVICE ATTACKSTHE FUTURE OF NETWORK SECURITY
CHAPTER 12: Network Defenses
FIREWALLSDEMILITARIZED ZONESVIRTUAL PRIVATE NETWORKSINTRUSION DETECTION SYSTEMSHONEY POTS AND BURGLAR ALARMSVULNERABILITY SCANNERSE-MAIL SECURITYENCRYPTION AND NETWORK DEFENSES
CHAPTER 13: Software Reliability
FAULTY CODEATTACKS ON FAULTY CODEBUFFER OVERFLOWSTHE UBIQUITY OF FAULTY CODE
CHAPTER 14: Secure Hardware
TAMPER RESISTANCESIDE-CHANNEL ATTACKSATTACKS AGAINST SMART CARDS
CHAPTER 15: Certificates and Credentials
TRUSTED THIRD PARTIESCREDENTIALSCERTIFICATESPROBLEMS WITH TRADITIONAL PKISPKIS ON THE INTERNET
CHAPTER 16: Security Tricks
GOVERNMENT ACCESS TO KEYSDATABASE SECURITYSTEGANOGRAPHYSUBLIMINAL CHANNELSDIGITAL WATERMARKINGCOPY PROTECTIONERASING DIGITAL INFORMATION
CHAPTER 17: The Human Factor
RISKEXCEPTION HANDLINGHUMAN–COMPUTER INTERFACEHUMAN–COMPUTER TRANSFERENCEMALICIOUS INSIDERSSOCIAL ENGINEERING
PART 3: STRATEGIES
CHAPTER 18: Vulnerabilities and the Vulnerability Landscape
ATTACK METHODOLOGYCOUNTERMEASURESTHE VULNERABILITY LANDSCAPERATIONALLY APPLYING COUNTERMEASURES
CHAPTER 19: Threat Modeling and Risk Assessment
FAIR ELECTIONSSECURE TELEPHONESSECURE E - MAILSTORED-VALUE SMART CARDSRISK ASSESSMENTTHE POINT OF THREAT MODELINGGETTING THE THREAT WRONG
CHAPTER 20: Security Policies and Countermeasures
SECURITY POLICIESTRUSTED CLIENT SOFTWAREAUTOMATIC TELLER MACHINESCOMPUTERIZED LOTTERY TERMINALSSMART CARDS VS. MEMORY CARDSRATIONAL COUNTERMEASURES
CHAPTER 21: Attack Trees
BASIC ATTACK TREESPGP ATTACK TREECREATING AND USING ATTACK TREES
CHAPTER 22: Product Testing and Verification
THE FAILURE OF TESTINGDISCOVERING SECURITY FLAWS AFTER THE FACTOPEN STANDARDS AND OPEN SOURCE SOLUTIONSREVERSE ENGINEERING AND THE LAWCRACKING AND HACKING CONTESTSEVALUATING AND CHOOSING SECURITY PRODUCTS
CHAPTER 23: The Future of Products
SOFTWARE COMPLEXITY AND SECURITYTECHNOLOGIES TO WATCHWILL WE EVER LEARN?
CHAPTER 24: Security Processes
PRINCIPLESDETECTION AND RESPONSECOUNTERATTACKMANAGE RISKOUTSOURCING SECURITY PROCESSES
CHAPTER 25: Conclusion
Afterword
Resources
Acknowledgments
Index

Content preview from Secrets and Lies: Digital Security in a Networked World, 15th Anniversary Edition

13 Software Reliability

Between system security measures (security kernels, access control measures, strong cryptography, etc.) and good network security measures (firewalls, intrusion detection systems, auditing mechanisms), it seems as if computer security is pretty much done. Why then, are computers and networks so insecure? Why are we seeing more computer security vulnerabilities in the media, and not less? Why aren't things getting better?

The problem is that security measures such as cryptography, secure kernels, firewalls, and everything else work much better in theory than they do in practice. In other words: Security flaws in the implementation are much more common, and much more serious, than security flaws in the design. So far, Part 2 has talked about design. This chapter is about implementation.

FAULTY CODE

In June 1996, the European Space Agency's Ariane 5 rocket exploded after launch because of a software error: The program tried to stick a 64-bit number into a 16-bit space, causing an overflow. Its lessons are particularly relevant to computer security.

Basically, there was a piece of code written for the Ariane 4 rocket that dealt with the rocket's sideways velocity. At 36.7 seconds after launch, the guidance system's computer tried to convert this velocity measurement from a 64-bit format to a 16-bit format. The number was too big, which caused an error. Normally, there would be extra code that watches for these sorts of errors and recovers gracefully. But the ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

ISC2 CISSP Certified Information Systems Security Professional Official Study Guide, 10th Edition

Publisher Resources

ISBN: 9781119092438Purchase book

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Secrets and Lies: Digital Security in a Networked World, 15th Anniversary Edition

by Bruce Schneier

13

Software Reliability

FAULTY CODE

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.