INLS187: Book Review

Jesse Aaron Safir
April 10, 2002
Book Review Project

Book Chosen For Review: Avi Rubin's White-Hat Security Arsenal: Tackling the Threats

Introduction: For this Book Review project, I chose to read one of the new acquisitions in the SILS library. I was attracted to the title White-Hat Security Arsenal because I believed this would be a book all about what techniques Crackers use to break into information systems and the tools that security administrators and systems engineers could use to test their systems for these security vulnerabilities to make sure that the crackers can't break into the systems. This Book Review project will examine what kind of information can be found in this book and will critique it on a number of points.

Summary of the Book: Dr. Aviel Rubin is a computer scientist and principal researcher at AT&T Labs-Research. He regularly meets with IT staff from all types of companies and he wrote this book to provide an overview of each type of threat posed to information systems and the techniques that have been developed for combating those threats. This book turns out to be a little different from what I expected. In fact, it is a great introduction to each area of information system security, the threats that are posed, and the techniques that have been developed to combat those threats.

The book is divided up into five parts. Part I is called "Is There Really A Threat?" and it examines what is at risk in security threats and the history of some of the most notable computer worms, viruses that have popped up since 1988 and what we have learned about security vulnerabilities from dealing with those threats. Part II is called "Storing Data Securely" and it deals with technologies that use cryptography to secure data on local computers, remote servers, and on tape backups. Part III is called "Secure Data Transfer" and I believe it provides a detailed explanation of public key cryptography, although I have not had an opportunity to read this section yet. Part IV is called "Protecting Against Network Threats" and it deals with all issues pertaining to network perimeter security. Part V is called "Commerce and Privacy" and it first goes into a lot of detail about using SSL to protect e-commerce transactions and then deals with ways that personal privacy and anonymity can be protected.

In Chapter 1, Avi explains that most companies are reluctant to publicly admit to security breaches for fear of losing customers, but a new trend is for IT professionals, even from competing companies, to get together to share their experiences and mutually benefit from open and honest exchange of information about security breaches (p.6). In Chapter 2, Avi explains that poor administration leads to the existance of "stale" user accounts, out-of-date and unpatched system binaries, and ignorance of current security alerts. He talks about rootkits that exist for virtually every operating system and that they can install lots of trojan horses or back doors into legitimate-looking system binaries (p.12). For example, a worm could be constructed to spread to a large number of machines and allow for automatic remote audio surveillance via built-in PC microphones on target systems (p.9).

In Chapter 3, Avi explains the difference between viruses and trojan horses and tells the story of the first computer virus, UNIX "vd" in 1983, which was designed as a computer science experiment and the first significant worm, the Morris Worm in 1988, and how it prompted the establishment of CERT (pp.16-22). He explains how each of the noteworthy computer worms was able to spread to so many machines. For example, the fact that most desktop computers are fairly homogeneous in terms of the OS (Windows), the web browser (Internet Explorer), and the email client (Outlook Express) and that these system components are integrated (pp.23-29). Avi also points out the unfortunate fact that most users click "OK" as soon as they see such a button, regardless of what the dialog box may be warning them (p.43).

Chapter 4 begins Part II. One of the most important points that Avi makes here is that cryptography is worthless if the keys are easily accessible via "bad" passwords or passphrases or via bad physical security (p.49). He suggests that using SmartCards to store many different passwords to different systems is an improvement (p.51). One interesting point he makes at length is that although any file system encryption program should encrypt the files and directories and then securely "wipe" the space on the physical media where the unencrypted versions resided, it is virtually impossible to stop an attacker with enough resources from reading the original unencrypted data from the physical media (p.51). He explains the physics behind why this is possible. It's really quite interesting. In this chapter, the author also explains technical concepts such as "block cipher", "string cipher", "CBC", and "MAC" and technologies that use these concepts such as "AES", "tripwire", "CFS", "PGPDisk", and "Windows 2000 EFS" (pp.55-76). Avi explains some common hacking techniques, such as offline guessing of passwords with special "hacking dictionaries" that contain not only words in normal language dictionaries, but also permutations and combinations of those words and substitutions of common characters (p.63). Another attack is to generate a lot of false alarms until the administrator or user stops monitoring the system and the attacker can get in unnoticed (p.62). An analog to the real-world is a car thief setting off a car alarm every 10 minutes until the owner disables the alarm and then the car thief steals the car.

In Chapter 5, Avi describes secure file systems that can run on top of NFS as well as technical concepts such as EKE, AKE, PAK, and Manber's Scheme (pp.89-91). He explains that it's important to use "proactive password checking" to make sure that users use strong passwords in the first place (p.89). For example, you can setup a filter so that when users are prompted to change their passwords, the new passwords get rejected if they contain any part of the user's name or don't contain a minimum number of characters from various character sets. Chapter 6 simply describes various techniques and commercial services for providing security for backup tapes. It seems like there aren't any really good solutions for this, however because the users either have to enter their special key every time they initiate a backup or restore or the key has to be stored with the data, which isn't secure.

Chapters 7, 8, and 9 are Part III, which I have not had a chance to read. However, they deal with secure data transfer and appear to explain public key cryptography in all its gory details and common implementations.

Chapters 10 and 11 comprise Part IV. Avi begins Chapter 10 by explaining that network insiders pose one of the greatest risks to network security but that unfortunately there isn't a lot you can do to protect your network from them. After all, since they are "insiders", they are assumed to be legitimate users. However, he mentions that you should limit "administrative" privileges as much as possible, use access controls to limit read and write access to sensitive data, enable auditing, and keep insiders happy so they won't be tempted to betray their company for their own profit (p.198). The author then procedes to discuss firewalls and the difference between "stateful" and "stateless" firewalls (p.201). He suggests where firewalls are appropriate in a network and what resources should be inside the firewall and what resources should be outside the firewall. For example, he says it's very important that dial-in modems and public web servers should be outside of at least one firewall that protects the network. They can be in a DMZ between two firewalls if necessary, but they need to be isolated from the corporate network so that they cannot be used to access sensitive data on other servers behind the firewall (pp.203-211). Avi explains that when you have a firewall in place, you need a VPN solution to allow legitimate users to get back into the network. One simple and cheap way to provide VPN services to legitimate users is to configure their TCP/IP applications to tunnel through an SSH connection back to a server inside the firewall (pp.213-217). Avi also discusses SecureID cards and one-time passwords using OPIE and S/KEY as well as best practices for firewall traffic flow limitations and rules.

In Chapter 11, Avi discusses how trojan horses can get installed onto machines in your network and how they can be very difficult to detect. He says that even legitimate programs can be "infected" with malicious code that rides along inside a DLL and installs a back door into your systems (pp.229-233). The author discusses popular intrusion detection systems (IDS) and packet sniffers, including packet sniffers that are able to reconstruct whole application-level data streams, such as email, telnet, instant messaging, etc (pp.241-246). He recommends using something called "egress filtering" on the firewall or router to help stop machines on your network from participating in a distributed denial of service (DDOS) attack on another remote site (p.248). In Avi's opinion, however, Intrustion Detection Systems are more useful as post-mortem tools for figuring out what damage has been done rather than stopping it when it starts (p.244).

Chapter 12 discusses all the issues involved in securing e-commerce transactions. The focus of this chapter is obviously on how to implement SSL and ensure that good encryption is going on. For example, the author notes that SSL v2.0 has known security vulnerabilities and that CipherSuites that use less than 56-bit keys are not very secure. He recommends that you configure your web browsers and SSL servers to disable weaker forms of SSL encryption (pp.264-265). He also points out that even if you know that your sensitive data, such as credit card numbers, are being transferred over a secure connection, you have no guarantee that the server on which that data will be stored is secure (p.274). Avi notes that there are at least 20 "root Certificate Authorities" that have certificates built into Internet Explorer and Netscape by default, so you can shop around for cheaper certificates (p.261). Finally, Avi discusses SSL-based "single sign-on" services such as Microsoft Passport and how they can be used to limit the number of places where you have to enter your sensitive data (p.277).

In Chapter 13, Avi describes how important it is to protect your privacy and how many people and companies are constantly trying to gather and cross-reference as much information about you as possible to sell that information for marketing purposes (p.284). He also notes the common misconception that no one would bother to sift through everyone's email because there are sophisticated systems that can automatically sift through very large amounts of email and extract only those messages that contain interesting information (p.285). This includes the FBI's "Carnivore" system (p.286). Avi proceeds to discuss secure email systems, such as PGP and S/MIME, anonymous remailers, anonymous web surfing, and the W3C's P3P technology for letting users choose what kinds of services they will use, based on XML-published privacy policies (p.298).

Points for Review and Critique of the Book:

Content: What is the book about? What topics does it cover? Does it cover an appropriate range of topics?

Organization: How is the book organized? Does it flow smoothly from one topic to another?

Objectivity: Is the author biased toward a particular viewpoint and is he interested in changing the opinions of the readers?

Audience: Who would be interested in reading this book and why? What are the recommended uses for this book?

Use of Language: Is the author's use of language appropriate for the anticipated audience? How clearly are technical terms and concepts explained? Is the language consistent throughout the book?

Level of Detail: How detailed is the discussion of each topic covered in the book?

Strengths: What are the principal strengths of the book?

Weaknesses and Suggestions for Improvement: What are the main weaknesses of the book? How can the author improve the book for the next revision?

Critique of the Book:

Content: This book does a pretty good job at covering all of the common threats to information systems security and the techniques that have been developed for combating those threats. I was a little mislead by the title of the book, but I could have read the back cover or the index and gotten a better idea of what topics would be covered in the book.

Organization: In general, the book seems to be well organized. I like that not only are the topics broken up into chapters, but those chapters are grouped into sections and you are encouraged by the author to go directly to the chapters or sections that concern you the most. There does seem to be some overlap between chapters and sections, however, and perhaps that could be further reduced. For example, trojan horses, tripwire, public-key cryptography, and SSL are discussed in a number of different locations in the book.

Objectivity: Dr. Aviel D. Rubin does not seemed to be biased toward a particular viewpoint. He seems very objective when discussing the technologies and is able to discuss the merits and shortcomings of any information security concept or product. He mentions several projects that he has personally helped develop but he doesn't seem to be pushing the readers to use his products above any others. In addition, Avi doesn't seem to have any bias toward are against any operating systems or vendors. I find this objectivity refreshing and it makes the book more enjoyable to read.

Audience: This book would be clearly useful to any systems engineers, security administrators, desktop support personnel, or even concerned home users who want to understand just how information systems security is attacked and what can be done to combat those attacks. This book would also be very useful as a textbook for an Information Security class, such as INLS187.

Use of Language: Given the wide range of possible readers in the audience for this book, it would be difficult to write at a level that is appropriate for all users. I found Avi's technical explanations to be somewhat unclear and hard to follow, even with diagrams. I think it may be just that cryptography algorithms and concepts are very complicated and difficult to explain. However, I do believe I have read other explanations of public-key cryptography that were much easier to understand. The language is consistent throughout the book only in that when Avi starts discussing something such as a cryptographic algorithm, he speaks at a very technical level that many readers won't understand.

Level of Detail: The level of detail on each topic seems appropriate for a book of this size. Avi always provides references to sites that provide more information on technical topics for those who seek it.

Strengths: I like very much the approach of breaking down all the common information security threats into categories and then dealing with the threats and how to respond to them in each category separately. I like that Avi takes the time not only to discuss the technologies, but also to provide illustrations, including screen shots that show how the technologies are implemented. I also appreciate Avi's enthusiasm for the topics and the interesting stories he tells about the histories of many of the technologies.

Weaknesses and Suggestions for Improvement: In the beginning of Chapter 12, Avi says that he has bought many things online using his credit card in e-commerce transactions and that SSL makes it secure, but later in the chapter he makes it sound like SSL-based e-commerce transactions are really not secure enough and even suggests calling the merchant on the phone to provide the credit card number rather than entering it into the SSL-enabled web form. I am confused by this mixed message. Also, unless it is more clearly explained in the one section I haven't read yet, I would like to see a lower-level and more understandable explanation of the the cryptography technologies and how they work. As previously mentioned, several of the topics are discussed in multiple sections and it might be better if they were discussed only in the most appropriate section.

Bibliographic Data:

Aviel D. Rubin. White-Hat Security Arsenal: Tacking the Threats. Addison-Wesley, Boston, MA, 2001.
UNC SILS Library call number TK5105.59.R833 2001