June 01, 2005, 11:12 AM — In today's column, we're going to take a look at a fascinating book entitled "Silence on the Wire: a Field Guide to Passive Reconnaissance and Indirect Attacks" by Michal Zalewski and published this year by No Starch Press. This book takes a very unusual approach in explaining the nature of a type of threat that most of us would probably never have normally considered; that is -- how much information can be gleaned about our systems, our businesses and ourselves by a very patient individual who is doing little more than paying attention to subtle "leaks" of information that can be extracted from everyday system communications.
To warm you up to this idea, let's consider a possible analogy from everyday life. Passive reconnaissance in your hometown might involve what you can learn about a particular neighbor by watching the cars that stop by his house, noticing how long they stay and whether the same cars return or every car that stops appears to stop by only once.
Passive reconnaissance involves collecting information about a particular target without the target knowing and without anything being disrupted (or detected) in the process. Indirect attacks are a bit less passive. In these, the attacker takes some action to facilitate data collection, such as probing the system in some way which makes it likely that it will share more than it would ordinarily.
The book's approach to describing why these attack methods are possible and how they work starts with in-depth descriptions of systems, software and networking technology and then goes on to explain why each of these system or network components might allow someone to collect information that was not intended to be shared.
In early chapters, for example, we read about keyboard circuitry. We begin to see how the timing of key presses might be useful in inferring the text being typed. We also learn how the numeric basis of public key encryption depends on a particular system's ability to obtain unpredictable data from hardware or the "environment" (some activity on the system that cannot be predicted) and how the critical randomness of that data can be reduced if the entropy pool is run dry. We consider how some software packages may surreptitiously slip identifying information about the user of the package into documents that he creates.
In later chapters, we read that the padding on certain packets might contain chunks of data pulled from memory -- perhaps data of a sensitive nature that is being used or has been left in memory by some other process. We consider how the LEDs on many pieces of network equipment might reveal the information being transmitted.
We also learn how a switch, flooded with packets from many MAC addresses (presumably falsified) can run out of space in the table that it uses to keep track of the associations between these addresses and the ports through which these addresses appear to be reachable. When this happens, the switch reverts to what is referred to as "hub mode"; in other words, like a hub, the switch sends all packets out through every port. What has this to do with passive reconnaissance? It means that a switch can be tricked into sending packets to an attacker that should have been sent only to the intended system.
And this is just a sampling of the numerous issues this novel security book brings to the table. It also discusses the passive reconnaissance opportunities presented by networking and network applications. In Part III of the book, we read about passive fingerprinting, IP fragmentation, initial sequence number generation, filtering, fragmentation, masquerading, MTU discovery, stack data leaks, detecting deceptive clients in HTTP and the reasons why it is nearly impossible to hide your identify online. In Part IV, we examine parasitic computing, Internet topology and detecting malformed and misdirected packets.
How it Works, How it Breaks
I have often said, in reference to troubleshooting anything from automobile engines to complex applications, that the best way to understand how things break is to understand how they work. Even a thing as simple as the latch on a cabinet door can be troubleshot by considering the way in which one part of the latch must press outward and slip into a groove for the latch to engage. When a door doesn't latch, there is likely a misalignment between the latch and the groove. Thinking about the way a latch works makes its failure to work properly easy to diagnose.
