Security

July 21, 2008

The New School of Information Security

On the forty-second page of “The New School of Information Security” authors Adam Shostack & Andrew Stewart, wrote (some emphasis added):

The New School of Information Security [cover]

be disproved. If the position can't be tested, it's a belief—not science. This chapter examines sources of evidence and the value they might provide. In doing so, we can evaluate to what degree they can help us evaluate claims, large and small, and make the right security decisions.

Someone with no training in physics might think that heavier objects fall faster than lighter ones. But we know through scientific testing that all objects falling toward the Earth accelerate at the same rate (although they may be slowed by air resistance). It was Galileo who posed the hypothesis that everything falls at the same rate. He supposedly performed a test in which he simultaneously dropped two objects weighing different amounts from the Leaning Tower of Pisa.

The scientific orientation has been incredibly effective at increasing our understanding of the world. It includes formulating and testing hypotheses and sharing the methods of testing and results of those tests. A hypothesis is simply a testable suggestion. Tests never actually prove a hypothesis. Good tests fail to disprove the hypothesis being tested and thereby provide evidence in favor of the hypothesis. The difference is both subtle and important. For example, someone might hypothesize that the coelacanth fish is extinct, yet this was disproven in 1938 when a living specimen was caught. It's impossible to prove a negative, because there's always the possibility that a counter-example is out there somewhere. We might have other ideas we believe, but evidence to disprove them might be lurking right around the corner. The disproof of a hypothesis may or may not make it worthless. For example, Newton's laws of motion are still used in civil engineering, even though they are "wrong" and don't apply at very high speeds or at atomic scales.

The ideal way to test a hypothesis is by experiment. Good experimental design changes one variable at a time and sees what else changes, or pits two hypotheses against each other.

More information about “The New School of Information Security” (and the book itself) is available from:

(Addison-Wesley Professional, April 2008. Hardcover, 238 pages. ISBN: 0321502787; EAN: 9780321502780.)

Posted on July 21, 2008 at 10:00 PM in Security | | Comments (0) | TrackBack (0)

|

Security Engineering

On the forty-second page of “Security Engineering: A Guide to Building Dependable Distributed Systems” Cambridge University security engineering pioneer Ross J. Anderson wrote (some emphasis added):

Security Engineering: A Guide to Building Dependable Distributed Systems [cover]

upgrade' to log on to the bank's website and authenticate themselves using a card number and an ATM PIN[739]. Meanwhile a marketing spam from the Bank of America directed UK customers to mynewcard.com. Not only is spam illegal in Britain, and the domain name inconsistent, and clickable links a bad idea; but BoA got the certificate wrong (it was for mynewcard.bankofamerica.com). The 'mynewcard' problem had been pointed out in 2003 and not fixed. Such bad practices are rife among major banks, who thereby train their customers to practice unsafe computing—by disregarding domain names, ignoring certificate warnings, and merrily clicking links[399]. As a result, even security experts have difficulty telling bank spam from phish[301].

But perhaps the worst example of all came from Halifax Share Dealing Services, part of a large well-known bank in the UK, which sent out a spam with a URL not registered to the bank. The Halifax's web page at the time sensibly advised its customers not to reply to emails, click on links or disclose defaults—and the spam itself had a similar warning at the end. The mother of a student of ours received this spam and contacted the bank's security department, who told her it was a phish. The student then contacted the ISP to report abuse, and found that the URL and the service were genuine—although provided to the Halifax by a third party[842]. When even a bank's security department can't tell spam from phish, how are their customers supposed to?

2.4.6 Trusted Path

The second thread in the background of phishing is trusted path, which refers to some means of being sure that you're logging into a genuine machine through a channel that isn't open to eavesdropping. Here the deception is more technical than psychological, rather than inveigling a bank customer into revealing her PIN to you by claiming to be a policeman, you steal her PIN directly by putting a false ATM in a shopping mall.

Such attacks go back to the dawn of time-shared computing. A public terminal would be left running an attack program that looks just like the usual login screen—asking for a user name and password. When an unsuspecting user does this, it will save the password somewhere in the system, reply 'sorry, wrong password' and then vanish, invoking the genuine password program. The user will assume that he made a typing error first time and think no more of it. This is why Windows has a secure attention sequence, namely ctrl-alt-del, which is guaranteed to take you to a genuine password prompt.

If the whole terminal is bogus, then of course all bets are off. We once caught a student installing modified keyboards in our public terminal room to capture passwords. When the attacker is prepared to take this much trouble,

More information about “Security Engineering: A Guide to Building Dependable Distributed Systems” (and the book itself) is available from:

(John Wiley & Sons, April 2008. Hardcover, 1040 pages. ISBN: 0470068523; EAN: 9780470068526.)

Posted on July 21, 2008 at 06:00 AM in Programming, Security | | Comments (0) | TrackBack (0)

|

June 06, 2008

The Art of Deception

On the forty-second page of “The Art of Deception” author Kevin Mitnick wrote (emphasis added):

The Art of Deception [cover]

Note: You may notice I refer to social engineers, phone phreaks, and con-game operators as "he" through most of these stories. This is not chauvinism; it simply reflects the truth that most practitioners in these fields are male. But though there aren't many women social engineers, the number is growing. There are enough female social engineers out there that you shouldn't let your guard down just because you hear a woman's voice. In fact, female social engineers have a distinct advantage because they can use their sexuality to obtain cooperation. You'll find a small number of the so-called gentler sex represented in these pages.

The First Call: Andrea Lopez

Andrea Lopez answered the phone at the video rental store where she worked, and in a moment was smiling: It's always a pleasure when a customer takes the trouble to say he's happy about the service. This caller said he had had a very good experience dealing with the store, and he wanted to send the manager a letter about it.

He asked for the manager's name and the mailing address, and she told him it was Tommy Allison, and gave him the address. As he was about to hang up, he had another idea and said, "I might want to write to your company headquarters, too. What's your store number?" She gave him that information, as well. He said thanks, added something pleasant about how helpful she had been, and said good-bye.

"A call like that," she thought, "always seems to make the shift go by faster. How nice it would be if people did that more often."

The Second Call: Ginny

"Thanks for calling Studio Video. This is Ginny, how can I help you?"

"Hi Ginny," the caller said enthusiastically, sounding as if he talked to Ginny every week or so. "It's Tommy Allison, manager at Forest Park, Store 863. We have a customer in here who wants to rent Rocky 5 and we're all out of copies. Can you check what you've got?"

She came back on the line after a few moments and said, "Yeah, we've got three copies."

"Okay, I'll see if he wants to drive over there. Listen, thanks. If you ever need any help from our store, just call and ask for Tommy. I'll be glad to do whatever I can for you."

This book is available for purchase from:

Posted on June 06, 2008 at 02:00 PM in Security | | Comments (0) | TrackBack (0)

|

March 2009

Sun Mon Tue Wed Thu Fri Sat
1 2 3 4 5 6 7
8 9 10 11 12 13 14
15 16 17 18 19 20 21
22 23 24 25 26 27 28
29 30 31        

About 42ndPage.com

  • What's so special about the number 42?
  • Tell us what you'd like to see featured

    We're always interested in reader feedback, especially suggestions of books to feature! Email: michael@cleverly.com.

    Please put 42ndPage.com in the subject of your email (to help avoid spam filtering).

Subscribe to this blog's feed

Categories

Archives

Categories