book

Security Engineering: A Guide to Building Dependable Distributed Systems, Second Edition

Name: Security Engineering: A Guide to Building Dependable Distributed Systems, Second Edition
Author: Ross J. Anderson
ISBN: 9780470068526

by Ross J. Anderson

April 2008

Intermediate to advanced

1080 pages

33h 45m

English

Wiley

Read now

Unlock full access

Copyright
Credits
Preface to the Second Edition
Foreword
Preface
About the Author
Acknowledgments
Further Acknowledgments for the Second Edition
Legal Notice
Should This Book Be Published at All?
I. PART I

1. What Is Security Engineering?
1.1. Introduction1.2. A Framework1.3. Example 1 — A Bank1.4. Example 2 — A Military Base1.5. Example 3 — A Hospital1.6. Example 4 — The Home1.7. Definitions1.8. Summary
2. Usability and Psychology
2.1. Introduction2.2. Attacks Based on Psychology2.2.1. Pretexting2.2.2. Phishing2.3. Insights from Psychology Research2.3.1. What the Brain Does Worse Than the Computer2.3.2. Perceptual Bias and Behavioural Economics2.3.3. Different Aspects of Mental Processing2.3.4. Differences Between People2.3.5. Social Psychology2.3.6. What the Brain Does Better Than the Computer2.4. Passwords2.4.1. Difficulties with Reliable Password Entry2.4.2. Difficulties with Remembering the Password2.4.3. Naive Password Choice2.4.4. User Abilities and Training2.4.4.1. Design Errors2.4.4.2. Operational Issues2.4.5. Social-Engineering Attacks2.4.6. Trusted Path2.4.7. Phishing Countermeasures2.4.7.1. Password Manglers2.4.7.2. Client Certs or Specialist Apps2.4.7.3. Using the Browser's Password Database2.4.7.4. Soft Keyboards2.4.7.5. Customer Education2.4.7.6. Microsoft Passport2.4.7.7. Phishing Alert Toolbars2.4.7.8. Two-Factor Authentication2.4.7.9. Trusted Computing2.4.7.10. Fortified Password Protocols2.4.7.11. Two-Channel Authentication2.4.8. The Future of Phishing2.5. System Issues2.5.1. Can You Deny Service?2.5.2. Protecting Oneself or Others?2.5.3. Attacks on Password Entry2.5.3.1. Interface Design2.5.3.2. Eavesdropping2.5.3.3. Technical Defeats of Password Retry Counters2.5.4. Attacks on Password Storage2.5.4.1. One-Way Encryption2.5.4.2. Password Cracking2.5.5. Absolute Limits2.6. CAPTCHAs2.7. Summary2.8. Research Problems2.9. Further Reading
3. Protocols
3.1. Introduction3.2. Password Eavesdropping Risks3.3. Who Goes There? — Simple Authentication3.3.1. Challenge and Response3.3.2. The MIG-in-the-Middle Attack3.3.3. Reflection Attacks3.4. Manipulating the Message3.5. Changing the Environment3.6. Chosen Protocol Attacks3.7. Managing Encryption Keys3.7.1. Basic Key Management3.7.2. The Needham-Schroeder Protocol3.7.3. Kerberos3.7.4. Practical Key Management3.8. Getting Formal3.8.1. A Typical Smartcard Banking Protocol3.8.2. The BAN Logic3.8.3. Verifying the Payment Protocol3.8.4. Limitations of Formal Verification3.9. Summary3.10. Research Problems3.11. Further Reading
4. Access Control
4.1. Introduction4.2. Operating System Access Controls4.2.1. Groups and Roles4.2.2. Access Control Lists4.2.3. Unix Operating System Security4.2.4. Apple's OS/X4.2.5. Windows – Basic Architecture4.2.6. Capabilities4.2.7. Windows – Added Features4.2.8. Middleware4.2.8.1. Database Access Controls4.2.8.2. General Middleware Issues4.2.8.3. ORBs and Policy Languages4.2.9. Sandboxing and Proof-Carrying Code4.2.10. Virtualization4.2.11. Trusted Computing4.3. Hardware Protection4.3.1. Intel Processors, and 'Trusted Computing'4.3.2. ARM Processors4.3.3. Security Processors4.4. What Goes Wrong4.4.1. Smashing the Stack4.4.2. Other Technical Attacks4.4.3. User Interface Failures4.4.4. Why So Many Things Go Wrong4.4.5. Remedies4.4.6. Environmental Creep4.5. Summary4.6. Research Problems4.7. Further Reading
5. Cryptography
5.1. Introduction5.2. Historical Background5.2.1. An Early Stream Cipher – The Vigenère5.2.2. The One-Time Pad5.2.3. An Early Block Cipher – Playfair5.2.4. One-Way Functions5.2.5. Asymmetric Primitives5.3. The Random Oracle Model5.3.1. Random Functions – Hash Functions5.3.1.1. Properties5.3.1.2. The Birthday Theorem5.3.2. Random Generators – Stream Ciphers5.3.3. Random Permutations – Block Ciphers5.3.4. Public Key Encryption and Trapdoor One-Way Permutations5.3.5. Digital Signatures5.4. Symmetric Crypto Primitives5.4.1. SP-Networks5.4.1.1. Block Size5.4.1.2. Number of Rounds5.4.1.3. Choice of S-Boxes5.4.1.4. Linear Cryptanalysis5.4.1.5. Differential Cryptanalysis5.4.1.6. Serpent5.4.2. The Advanced Encryption Standard (AES)5.4.3. Feistel Ciphers5.4.3.1. The Luby-Rackoff Result5.4.3.2. DES5.5. Modes of Operation5.5.1. Electronic Code Book5.5.2. Cipher Block Chaining5.5.3. Output Feedback5.5.4. Counter Encryption5.5.5. Cipher Feedback5.5.6. Message Authentication Code5.5.7. Composite Modes of Operation5.6. Hash Functions5.6.1. Extra Requirements on the Underlying Cipher5.6.2. Common Hash Functions and Applications5.7. Asymmetric Crypto Primitives5.7.1. Cryptography Based on Factoring5.7.2. Cryptography Based on Discrete Logarithms5.7.2.1. Public Key Encryption — Diffie Hellman and ElGamal5.7.2.2. Key Establishment5.7.2.3. Digital Signature5.7.3. Special Purpose Primitives5.7.4. Elliptic Curve Cryptography5.7.5. Certification5.7.6. The Strength of Asymmetric Cryptographic Primitives5.8. Summary5.9. Research Problems5.10. Further Reading
6. Distributed Systems
6.1. Introduction6.2. Concurrency6.2.1. Using Old Data Versus Paying to Propagate State6.2.2. Locking to Prevent Inconsistent Updates6.2.3. The Order of Updates6.2.4. Deadlock6.2.5. Non-Convergent State6.2.6. Secure Time6.3. Fault Tolerance and Failure Recovery6.3.1. Failure Models6.3.1.1. Byzantine Failure6.3.1.2. Interaction with Fault Tolerance6.3.2. What Is Resilience For?6.3.3. At What Level Is the Redundancy?6.3.4. Service-Denial Attacks6.4. Naming6.4.1. The Distributed Systems View of Naming6.4.2. What Else Goes Wrong6.4.2.1. Naming and Identity6.4.2.2. Cultural Assumptions6.4.2.3. Semantic Content of Names6.4.2.4. Uniqueness of Names6.4.2.5. Stability of Names and Addresses6.4.2.6. Adding Social Context to Naming6.4.2.7. Restrictions on the Use of Names6.4.3. Types of Name6.5. Summary6.6. Research Problems6.7. Further Reading
7. Economics
7.1. Introduction7.2. Classical Economics7.2.1. Monopoly7.2.2. Public Goods7.3. Information Economics7.3.1. The Price of Information7.3.2. The Value of Lock-In7.3.3. Asymmetric Information7.4. Game Theory7.4.1. The Prisoners' Dilemma7.4.2. Evolutionary Games7.5. The Economics of Security and Dependability7.5.1. Weakest Link, or Sum of Efforts?7.5.2. Managing the Patching Cycle7.5.3. Why Is Windows So Insecure?7.5.4. Economics of Privacy7.5.5. Economics of DRM7.6. Summary7.7. Research Problems7.8. Further Reading
II. PART II
8. Multilevel Security
8.1. Introduction8.2. What Is a Security Policy Model?8.3. The Bell-LaPadula Security Policy Model8.3.1. Classifications and Clearances8.3.2. Information Flow Control8.3.3. The Standard Criticisms of Bell-LaPadula8.3.4. Alternative Formulations8.3.5. The Biba Model and Vista8.4. Historical Examples of MLS Systems8.4.1. SCOMP8.4.2. Blacker8.4.3. MLS Unix and Compartmented Mode Workstations8.4.4. The NRL Pump8.4.5. Logistics Systems8.4.6. Sybard Suite8.4.7. Wiretap Systems8.5. Future MLS Systems8.5.1. Vista8.5.2. Linux8.5.3. Virtualization8.5.4. Embedded Systems8.6. What Goes Wrong8.6.1. Composability8.6.2. The Cascade Problem8.6.3. Covert Channels8.6.4. The Threat from Viruses8.6.5. Polyinstantiation8.6.6. Other Practical Problems8.7. Broader Implications of MLS8.8. Summary8.9. Research Problems8.10. Further Reading
9. Multilateral Security
9.1. Introduction9.2. Compartmentation, the Chinese Wall and the BMA Model9.2.1. Compartmentation and the Lattice Model9.2.2. The Chinese Wall9.2.3. The BMA Model9.2.3.1. The Threat Model9.2.3.2. The Security Policy9.2.3.3. Pilot Implementations9.2.4. Current Privacy Issues9.3. Inference Control9.3.1. Basic Problems of Inference Control in Medicine9.3.2. Other Applications of Inference Control9.3.3. The Theory of Inference Control9.3.3.1. Query Set Size Control9.3.3.2. Trackers9.3.3.3. More Sophisticated Query Controls9.3.3.4. Cell Suppression9.3.3.5. Maximum Order Control and the Lattice Model9.3.3.6. Audit Based Control9.3.3.7. Randomization9.3.4. Limitations of Generic Approaches9.3.4.1. Active Attacks9.3.5. The Value of Imperfect Protection9.4. The Residual Problem9.5. Summary9.6. Research Problems9.7. Further Reading
10. Banking and Bookkeeping
10.1. Introduction10.1.1. The Origins of Bookkeeping10.1.2. Double-Entry Bookkeeping10.1.3. A Telegraphic History of E-commerce10.2. How Bank Computer Systems Work10.2.1. The Clark-Wilson Security Policy Model10.2.2. Designing Internal Controls10.2.3. What Goes Wrong10.3. Wholesale Payment Systems10.3.1. SWIFT10.3.2. What Goes Wrong10.4. Automatic Teller Machines10.4.1. ATM Basics10.4.2. What Goes Wrong10.4.3. Incentives and Injustices10.5. Credit Cards10.5.1. Fraud10.5.2. Forgery10.5.3. Automatic Fraud Detection10.5.4. The Economics of Fraud10.5.5. Online Credit Card Fraud – the Hype and the Reality10.6. Smartcard-Based Banking10.6.1. EMV10.6.1.1. Static Data Authentication10.6.1.2. Dynamic Data Authentication10.6.1.3. Combined Data Authentication10.6.2. RFID10.7. Home Banking and Money Laundering10.8. Summary10.9. Research Problems10.10. Further Reading
11. Physical Protection
11.1. Introduction11.2. Threats and Barriers11.2.1. Threat Model11.2.2. Deterrence11.2.3. Walls and Barriers11.2.4. Mechanical Locks11.2.5. Electronic Locks11.3. Alarms11.3.1.11.3.1.1.11.3.1.1.1. How to steal a painting (1)11.3.2. How not to Protect a Painting11.3.2.1.11.3.2.1.1. How to steal a painting (2)11.3.3. Sensor Defeats11.3.3.1.11.3.3.1.1. How to steal a painting (3)11.3.4. Feature Interactions11.3.4.1.11.3.4.1.1. How to steal a painting (4)11.3.5. Attacks on Communications11.3.5.1.11.3.5.1.1. How to steal a painting (5)11.3.5.1.2. How to steal a painting (6)11.3.5.1.3. How to steal a painting (7)11.3.6. Lessons Learned11.4. Summary11.5. Research Problems11.6. Further Reading
12. Monitoring and Metering
12.1. Introduction12.2. Prepayment Meters12.2.1. Utility Metering12.2.2. How the System Works12.2.3. What Goes Wrong12.3. Taxi Meters, Tachographs and Truck Speed Limiters12.3.1. The Tachograph12.3.2. What Goes Wrong12.3.2.1. How Most Tachograph Manipulation Is Done12.3.2.2. Tampering with the Supply12.3.2.3. Tampering with the Instrument12.3.2.4. High-Tech Attacks12.3.3. The Digital Tachograph Project12.3.3.1. System Level Problems12.3.3.2. Other Problems12.3.3.3. The Resurrecting Duckling12.4. Postage Meters12.5. Summary12.6. Research Problems12.7. Further Reading
13. Nuclear Command and Control
13.1. Introduction13.2. The Evolution of Command and Control13.2.1. The Kennedy Memorandum13.2.2. Authorization, Environment, Intent13.3. Unconditionally Secure Authentication13.4. Shared Control Schemes13.5. Tamper Resistance and PALs13.6. Treaty Verification13.7. What Goes Wrong13.8. Secrecy or Openness?13.9. Summary13.10. Research Problems13.11. Further Reading
14. Security Printing and Seals
14.1. Introduction14.2. History14.3. Security Printing14.3.1. Threat Model14.3.2. Security Printing Techniques14.4. Packaging and Seals14.4.1. Substrate Properties14.4.2. The Problems of Glue14.4.3. PIN Mailers14.5. Systemic Vulnerabilities14.5.1. Peculiarities of the Threat Model14.5.2. Anti-Gundecking Measures14.5.3. The Effect of Random Failure14.5.4. Materials Control14.5.5. Not Protecting the Right Things14.5.6. The Cost and Nature of Inspection14.6. Evaluation Methodology14.7. Summary14.8. Research Problems14.9. Further Reading
15. Biometrics
15.1. Introduction15.2. Handwritten Signatures15.3. Face Recognition15.4. Bertillonage15.5. Fingerprints15.5.1. Verifying Positive or Negative Identity Claims15.5.2. Crime Scene Forensics15.6. Iris Codes15.7. Voice Recognition15.8. Other Systems15.9. What Goes Wrong15.10. Summary15.11. Research Problems15.12. Further Reading
16. Physical Tamper Resistance
16.1. Introduction16.2. History16.3. High-End Physically Secure Processors16.3.1.16.3.1.1.16.3.1.1.1. How to hack a cryptoprocessor (1)16.3.1.1.2. How to hack a cryptoprocessor (2)16.3.1.1.3. How to hack a cryptoprocessor (3)16.3.1.1.4. How to hack a cryptoprocessor (4)16.3.1.1.5. How to hack a cryptoprocessor (5)16.3.1.1.6. How to hack a cryptoprocessor (6)16.3.1.1.7. How to hack a cryptoprocessor (7)16.4. Evaluation16.5. Medium Security Processors16.5.1. The iButton16.5.2. The Dallas 5000 Series16.5.3. FPGA Security, and the Clipper Chip16.6. Smartcards and Microcontrollers16.6.1. History16.6.2. Architecture16.6.3. Security Evolution16.6.3.1.16.6.3.1.1. How to hack a smartcard (1)16.6.3.1.2. How to hack a smartcard (2)16.6.3.1.3. How to hack a smartcard (3)16.6.3.1.4. How to hack a smartcard (4)16.6.3.1.5. How to hack a smartcard (5)16.6.3.1.6. How to hack a smartcard (6)16.6.3.1.7. How to hack a smartcard (7)16.6.3.1.8. How to hack a smartcard (8)16.6.3.1.9. How to hack a smartcard (9)16.6.3.1.10. How to hack a smartcard (10)16.6.4. The State of the Art16.6.4.1. Defense in Depth16.6.4.2. Stop Loss16.7. What Goes Wrong16.7.1. The Trusted Interface Problem16.7.2. Conflicts16.7.3. The Lemons Market, Risk Dumping and Evaluation16.7.4. Security-By-Obscurity16.7.5. Interaction with Policy16.7.6. Function Creep16.8. So What Should One Protect?16.9. Summary16.10. Research Problems16.11. Further Reading
17. Emission Security
17.1. Introduction17.2. History17.3. Technical Surveillance and Countermeasures17.4. Passive Attacks17.4.1. Leakage Through Power and Signal Cables17.4.1.1. Red/Black Separation17.4.1.2. Timing Analysis17.4.1.3. Power Analysis17.4.2. Leakage Through RF Signals17.5. Active Attacks17.5.1. Tempest Viruses17.5.2. Nonstop17.5.3. Glitching17.5.4. Differential Fault Analysis17.5.5. Combination Attacks17.5.6. Commercial Exploitation17.5.7. Defenses17.6. Optical, Acoustic and Thermal Side Channels17.7. How Serious are Emsec Attacks?17.7.1. Governments17.7.2. Businesses17.8. Summary17.9. Research Problems17.10. Further Reading
18. API Attacks
18.1. Introduction18.2. API Attacks on Security Modules18.2.1. The XOR-To-Null-Key Attack18.2.2. The Attack on the 475818.2.3. Multiparty Computation, and Differential Protocol Attacks18.2.4. The EMV Attack18.3. API Attacks on Operating Systems18.4. Summary18.5. Research Problems18.6. Further Reading
19. Electronic and Information Warfare
19.1. Introduction19.2. Basics19.3. Communications Systems19.3.1. Signals Intelligence Techniques19.3.2. Attacks on Communications19.3.3. Protection Techniques19.3.3.1. Frequency Hopping19.3.3.2. DSSS19.3.3.3. Burst Communications19.3.3.4. Combining Covertness and Jam Resistance19.3.4. Interaction Between Civil and Military Uses19.4. Surveillance and Target Acquisition19.4.1. Types of Radar19.4.2. Jamming Techniques19.4.3. Advanced Radars and Countermeasures19.4.4. Other Sensors and Multisensor Issues19.5. IFF Systems19.6. Improvised Explosive Devices19.7. Directed Energy Weapons19.8. Information Warfare19.8.1. Definitions19.8.2. Doctrine19.8.3. Potentially Useful Lessons from Electronic Warfare19.8.4. Differences Between E-war and I-war19.9. Summary19.10. Research Problems19.11. Further Reading
20. Telecom System Security
20.1. Introduction20.2. Phone Phreaking20.2.1. Attacks on Metering20.2.2. Attacks on Signaling20.2.3. Attacks on Switching and Configuration20.2.4. Insecure End Systems20.2.5. Feature Interaction20.3. Mobile Phones20.3.1. Mobile Phone Cloning20.3.2. GSM Security Mechanisms20.3.3. Third Generation Mobiles — 3gpp20.3.4. Platform Security20.3.5. So Was Mobile Security a Success or a Failure?20.3.6. VOIP20.4. Security Economics of Telecomms20.4.1. Frauds by Phone Companies20.4.2. Billing Mechanisms20.5. Summary20.6. Research Problems20.7. Further Reading
21. Network Attack and Defense
21.1. Introduction21.2. Vulnerabilities in Network Protocols21.2.1. Attacks on Local Networks21.2.2. Attacks Using Internet Protocols and Mechanisms21.2.2.1. SYN Flooding21.2.2.2. Smurfing21.2.2.3. Distributed Denial of Service Attacks21.2.2.4. Spam21.2.2.5. DNS Security and Pharming21.3. Trojans, Viruses, Worms and Rootkits21.3.1. Early History of Malicious Code21.3.2. The Internet Worm21.3.3. How Viruses and Worms Work21.3.4. The History of Malware21.3.5. Countermeasures21.4. Defense Against Network Attack21.4.1. Configuration Management and Operational Security21.4.2. Filtering: Firewalls, Spam Filters, Censorware and Wiretaps21.4.2.1. Packet Filtering21.4.2.2. Circuit Gateways21.4.2.3. Application Relays21.4.2.4. Ingress Versus Egress Filtering21.4.2.5. Architecture21.4.3. Intrusion Detection21.4.3.1. Types of Intrusion Detection21.4.3.2. General Limitations of Intrusion Detection21.4.3.3. Specific Problems Detecting Network Attacks21.4.4. Encryption21.4.4.1. SSH21.4.4.2. WiFi21.4.4.3. Bluetooth21.4.4.4. HomePlug21.4.4.5. IPsec21.4.4.6. TLS21.4.4.7. PKI21.5. Topology21.6. Summary21.7. Research Problems21.8. Further Reading
22. Copyright and DRM
22.1. Introduction22.2. Copyright22.2.1. Software22.2.2. Books22.2.3. Audio22.2.4. Video and Pay-TV22.2.4.1. Typical System Architecture22.2.4.2. Video Scrambling Techniques22.2.4.3. Attacks on Hybrid Scrambling Systems22.2.4.4. DVB22.2.5. DVD22.2.6. HD-DVD and Blu-ray22.2.6.1. AACS — Broadcast Encryption and Traitor Tracing22.2.6.2. Blu-ray and SPDC22.3. General Platforms22.3.1. Windows Media Rights Management22.3.2. Other Online Rights-Management Systems22.3.3. Peer-to-Peer Systems22.3.4. Rights Management of Semiconductor IP22.4. Information Hiding22.4.1. Watermarks and Copy Generation Management22.4.2. General Information Hiding Techniques22.4.3. Attacks on Copyright Marking Schemes22.4.4. Applications of Copyright Marking Schemes22.5. Policy22.5.1. The IP Lobby22.5.2. Who Benefits?22.6. Accessory Control22.7. Summary22.8. Research Problems22.9. Further Reading
23. The Bleeding Edge
23.1. Introduction23.2. Computer Games23.2.1. Types of Cheating23.2.2. Aimbots and Other Unauthorized Software23.2.3. Virtual Worlds, Virtual Economies23.3. Web Applications23.3.1. eBay23.3.2. Google23.3.3. Social Networking Sites23.4. Privacy Technology23.4.1. Anonymous Email–The Dining Cryptographers and Mixes23.4.2. Anonymous Web Browsing–Tor23.4.3. Confidential and Anonymous Phone Calls23.4.4. Email Encryption23.4.5. Steganography and Forensics Countermeasures23.4.6. Putting It All Together23.5. Elections23.6. Summary23.7. Research Problems23.8. Further Reading
III. PART III
24. Terror, Justice and Freedom
24.1. Introduction24.2. Terrorism24.2.1. Causes of Political Violence24.2.2. The Psychology of Political Violence24.2.3. The Role of Political Institutions24.2.4. The Role of the Press24.2.5. The Democratic Response24.3. Surveillance24.3.1. The History of Government Wiretapping24.3.2. The Growing Controversy about Traffic Analysis24.3.3. Unlawful Surveillance24.3.4. Access to Search Terms and Location Data24.3.5. Data Mining24.3.6. Surveillance via ISPs — Carnivore and its Offspring24.3.7. Communications Intelligence on Foreign Targets24.3.8. Intelligence Strengths and Weaknesses24.3.9. The Crypto Wars24.3.9.1. The Back Story to Crypto Policy24.3.9.2. DES and Crypto Research24.3.9.3. The Clipper Chip24.3.10. Did the Crypto Wars Matter?24.3.11. Export Control24.4. Censorship24.4.1. Censorship by Authoritarian Regimes24.4.2. Network Neutrality24.4.3. Peer-to-Peer, Hate Speech and Child Porn24.5. Forensics and Rules of Evidence24.5.1. Forensics24.5.2. Admissibility of Evidence24.6. Privacy and Data Protection24.6.1. European Data Protection24.6.2. Differences between Europe and the USA24.7. Summary24.8. Research Problems24.9. Further Reading
25. Managing the Development of Secure Systems
25.1. Introduction25.2. Managing a Security Project25.2.1. A Tale of Three Supermarkets25.2.2. Risk Management25.2.3. Organizational Issues25.2.3.1. The Complacency Cycle and the Risk Thermostat25.2.3.2. Interaction with Reliability25.2.3.3. Solving the Wrong Problem25.2.3.4. Incompetent and Inexperienced Security Managers25.2.3.5. Moral Hazard25.3. Methodology25.3.1. Top-Down Design25.3.2. Iterative Design25.3.3. Lessons from Safety-Critical Systems25.4. Security Requirements Engineering25.4.1. Managing Requirements Evolution25.4.1.1. Bug Fixing25.4.1.2. Control Tuning and Corporate Governance25.4.1.3. Evolving Environments and the Tragedy of the Commons25.4.1.4. Organizational Change25.4.2. Managing Project Requirements25.4.3. Parallelizing the Process25.5. Risk Management25.6. Managing the Team25.7. Summary25.8. Research Problems25.9. Further Reading
26. System Evaluation and Assurance
26.1. Introduction26.2. Assurance26.2.1. Perverse Economic Incentives26.2.2. Project Assurance26.2.2.1. Security Testing26.2.2.2. Formal Methods26.2.2.3. Quis Custodiet?26.2.3. Process Assurance26.2.4. Assurance Growth26.2.5. Evolution and Security Assurance26.3. Evaluation26.3.1. Evaluations by the Relying Party26.3.2. The Common Criteria26.3.3. What the Common Criteria Don't Do26.3.3.1. Corruption, Manipulation and Inertia26.4. Ways Forward26.4.1. Hostile Review26.4.2. Free and Open-Source Software26.4.3. Semi-Open Design26.4.4. Penetrate-and-Patch, CERTs, and Bugtraq26.4.5. Education26.5. Summary26.6. Research Problems26.7. Further Reading
27. Conclusions
Bibliography

Content preview from Security Engineering: A Guide to Building Dependable Distributed Systems, Second Edition

Chapter 21. Network Attack and Defense

Whoever thinks his problem can be solved using cryptography, doesn't understand his problem and doesn't understand cryptography.

—— Attributed by Roger Needham and Butler Lampson to Each Other

If you spend more on coffee than on IT security, then you will be hacked. What's more, you deserve to be hacked.

—— Richard Clarke, Former U.S. Cybersecurity Tsar

Introduction

So far we've seen a large number of attacks against individual computers and other devices. But attacks increasingly depend on connectivity. Consider the following examples.

An office worker clicks on an attachment in email. This infects her PC with malware that compromises other machines in her office by snooping passwords that travel across the LAN.
The reason she clicked on the attachment is that the email came from her mother. The malware had infected her mother's machine and then sent out a copy of a recent email, with itself attached, to everyone in mum's address book.
Her mother in turn got infected by an old friend who chose a common password for his ISP account. When there are many machines on a network, the bad guys don't have to be choosy; rather than trying to guess the password for a particular account, they just try one password over and over for millions of accounts. Given a webmail account, they can send out bad email to the whole contact list.
Another attack technique that makes sense only in a network context is Google hacking. Here, the bad guys use search engines to find ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9780470068526Purchase book

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Security Engineering: A Guide to Building Dependable Distributed Systems, Second Edition

by Ross J. Anderson

Chapter 21. Network Attack and Defense

Introduction

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.