From: www.itworld.com

Book Review: Silence on the Wire

by Sandra Henry-Stocker

June 1, 2005 —

In today's column, we're going to take a look at a fascinating book entitled "Silence on the Wire: a Field Guide to Passive Reconnaissance and Indirect Attacks" by Michal Zalewski and published this year by No Starch Press. This book takes a very unusual approach in explaining the nature of a type of threat that most of us would probably never have normally considered; that is -- how much information can be gleaned about our systems, our businesses and ourselves by a very patient individual who is doing little more than paying attention to subtle "leaks" of information that can be extracted from everyday system communications.

To warm you up to this idea, let's consider a possible analogy from everyday life. Passive reconnaissance in your hometown might involve what you can learn about a particular neighbor by watching the cars that stop by his house, noticing how long they stay and whether the same cars return or every car that stops appears to stop by only once.

Passive reconnaissance involves collecting information about a particular target without the target knowing and without anything being disrupted (or detected) in the process. Indirect attacks are a bit less passive. In these, the attacker takes some action to facilitate data collection, such as probing the system in some way which makes it likely that it will share more than it would ordinarily.

The book's approach to describing why these attack methods are possible and how they work starts with in-depth descriptions of systems, software and networking technology and then goes on to explain why each of these system or network components might allow someone to collect information that was not intended to be shared.

In early chapters, for example, we read about keyboard circuitry. We begin to see how the timing of key presses might be useful in inferring the text being typed. We also learn how the numeric basis of public key encryption depends on a particular system's ability to obtain unpredictable data from hardware or the "environment" (some activity on the system that cannot be predicted) and how the critical randomness of that data can be reduced if the entropy pool is run dry. We consider how some software packages may surreptitiously slip identifying information about the user of the package into documents that he creates.

In later chapters, we read that the padding on certain packets might contain chunks of data pulled from memory -- perhaps data of a sensitive nature that is being used or has been left in memory by some other process. We consider how the LEDs on many pieces of network equipment might reveal the information being transmitted.

We also learn how a switch, flooded with packets from many MAC addresses (presumably falsified) can run out of space in the table that it uses to keep track of the associations between these addresses and the ports through which these addresses appear to be reachable. When this happens, the switch reverts to what is referred to as "hub mode"; in other words, like a hub, the switch sends all packets out through every port. What has this to do with passive reconnaissance? It means that a switch can be tricked into sending packets to an attacker that should have been sent only to the intended system.

And this is just a sampling of the numerous issues this novel security book brings to the table. It also discusses the passive reconnaissance opportunities presented by networking and network applications. In Part III of the book, we read about passive fingerprinting, IP fragmentation, initial sequence number generation, filtering, fragmentation, masquerading, MTU discovery, stack data leaks, detecting deceptive clients in HTTP and the reasons why it is nearly impossible to hide your identify online. In Part IV, we examine parasitic computing, Internet topology and detecting malformed and misdirected packets.

How it Works, How it Breaks

I have often said, in reference to troubleshooting anything from automobile engines to complex applications, that the best way to understand how things break is to understand how they work. Even a thing as simple as the latch on a cabinet door can be troubleshot by considering the way in which one part of the latch must press outward and slip into a groove for the latch to engage. When a door doesn't latch, there is likely a misalignment between the latch and the groove. Thinking about the way a latch works makes its failure to work properly easy to diagnose.

It is also true that the best way to understand how a thing can be abused is to understand how it was designed to work. And this intense book will give you countless insights into how the technologies you work with every day were designed to work and how, given this design -- under normal or stressed conditions, they might divulge otherwise private information.

The Bottom Line

This book is about a particular kind of vulnerability -- how information can be gained about a system by passively observing its activity "on the wire" or by coaxing it into being more forthcoming. In short, technology designed for users who play nice may not provide as much defense as we would like against those who do not.

Will reading this book help keep the next hacker from penetrating your network or crashing your server? Probably not. Will it give you a remarkable new perspective on how your systems work and what kind of approaches you might need to take, now or long term, to make them less vulnerable? Undoubtedly.

What makes this book a must-read for sysadmins are the clear explanations and practical insights into the technologies that we manage. What makes it a joy to read are the author's appealing humility, sense of humor and vast knowledge. If you want to understand the stealthier side of hacking, this book is for you. Whether you are a seasoned systems administrator, a security specialist, a rank beginner or a high-level manager, this book is likely to open your eyes to issues you've never considered; you may never look at your computers in quite the same way.

A "self-taught security enthusiast" who just happens to have authored serious scientific research papers, written his own security utility and busied Bugtraq with his frequent postings, Michal Zalewski has written what is sure to become a technical security classic.

ITworld.com