The Security Skeptic

Mike Andrews and James Whittaker have chosen an unfortunate title for what is a very good book describing the lamentable state of web application development and the plethora of security problems web applications pose.

I find the title disappointing because How to Break Web Software suggests this is another book by media darling attackers who seize every opportunity to show they are clever and everyone else is not. While the subtitle clearly has less shelf appeal, Functional and Security Testing of Web Applications and Web Services more clearly identifies what you'll learn should you read this book.

The authors begin by explaining the the problem space (web applications and emerging web services) and why this space is problematic (the distributed nature of the web, the extensive and extensible nature of the application development languages and protocols). They then describe web attack methodologies, and explain how each component of a web application (client, server, and the underlying network) can be attacked. The authors present a series of attacks, for each describing the attacker's objective, opportunity (when to apply the attack), how to conduct the attack, and most importantly, how to protect against the attack. The book concludes with discussions of authentication and privacy issues for the web.

This book is much more than a lame dissertation by a lame-oh clever enough to write a script that takes advantage of someone else's poorly written script. It is also written largely in "plain speak": if you know something about networking and web applications, you will be able to try many of the security tests the authors describe by simply reading the chapter and using the tools provided in an accompanying CD.

If I haven't convinced you to spend the twenty-odd dollars on a copy, at least read Fifty Years of Software: Key Principles for Quality, by James Whittacker and Jeffrey Voas. Reprinted as an appendix to the book, this article offers many insights into how software has evolved - or devolved - to the state we see today.

Archived at http://www.securityskeptic.com/arc20060501.htm#BlogID527 by Dave Piscitello  

I'm excited to announce that Understanding Voice over IP Security, by Alan Johnston and David Piscitello, will be available April 2006. Order now from Amazon.com and Artech House. Table of Contents: Introduction. Introduction to Cryptography. VoIP Systems. Internet Threats and Attacks. Internet Security Architectures. Security Protocols. General Client and Server Security Principles. Authentication. Signaling Security. Media Security. Identity. PSTN Gateway. Spam and Spit. Conclusions

Archived at http://www.securityskeptic.com/arc20060301.htm#BlogID514 by Dave Piscitello  

I wrote a review of Windows XP Security Solutions in my BlogID 485. Today, I received a note from author Dan DiNicolo that confirms some of my speculations:

Hello Dave,

I just came across your blog entry on my new book. I'm glad you enjoyed it, and was happy to see the positive review. As you mentioned, the book is aimed at the average end-user rather than the in-the-know professional. My decision to write the book was largely born of frustration - the fact that an avalanche of information is available on the topic, and yet the majority of home users' Windows XP systems remain infected.

Anyhow, I just thought I'd drop you a line to say thank you. I hope that people get the message, be it from my book or otherwise.

All the best,

Dan

So now you have another reason to buy the book. Support Dan, he's a nice guy:-)

Archived at http://www.securityskeptic.com/arc20060101.htm#BlogID490 by Dave Piscitello  

I'm on the review list for the "...for Dummies" series. Don't ask., I can't tell you why (I honestly don't know).

Techies may think "...for Dummies" confines itself to PCs, networking, and security. How wrong you are.

To give you a sense of just how wide a range of topics 'dummies books cover, here's a list of titles I've received recently:

• Writing Children's Books for Dummies

• Parrots for Dummies

• Chemotherapy and Radiation for Dummies

• Tour de France for Dummies

Even though I write regularly about security, I'm not qualified to comment on a book that professes to teach you to write Children's books (maybe I am but I'm being polite).

I will admit to finding birds in general and parrots in particular highly unappealing pets, so this one's available to whomever will pay S&H.

My wife is a licensed nurse practitioner, all too familiar with cancer and its treatment. Initially, she laughed when I received the book, but after thumbing through it she thought it covered most of the issues and questions people have when they or a family member is diagnosed with some form of cancer, but dutifully warned that it's for background information and support, and not a substitute for medical advise from a physician/oncologist.

I found the Tour de France for Dummies highly entertaining. I've followed le Tour for years, and have learned bits and pieces about its history. le Tour pour provides a fair bit of history; explains the rules; and provides the obligatory "Top Ten" lists of riders, legs, and unique statistics.

I spent an hour speed reading the entire book (hey, it's not Moby Dick). Two chapters I thoroughly enjoyed were "Spending a Day in the Life of a Rider" and "Understanding Race Strategies. Without question, the most amusing discussion was "Heeding Nature's Call While Riding", where authors Phil Liggett, James Raia, and Sammarye Lewis answer the question, "Hey, what do they do when they gotta go?"

Read the book to find out. I will tell you that riders in the peloton obey an unwritten and absolute rule to not attack while riders are watering the sunflowers" :-)

Archived at http://www.securityskeptic.com/arc20050601.htm#BlogID417 by Dave Piscitello  

Authentication is widely regarded as the enabler of all security services and policy enforcement: until you can confirm an identity in a non-repudiable manner, you should not provide that person, computer, data object, or program any privileges (access, network admission, execution,...). Despite the fact that we remain mired in a password-based world, many stronger authentication methods are available. Enumerating authentication systems and their characteristics is a simple task. Identifying the limitations and vulnerabilities inherent to each, and explaining how and where each may be best applied is hard work.

Richard E. Smith tackles both tasks in Authentication: From Passwords to Public Keys. Once the obligatory background material is covered (history, evolution of reusable credentials, the people factor), Smith devotes chapters to token, biometric, challenge-response, and digital certificate systems, and ticket granting services. For each, Smith explains the authentication system, and complements this with a discussion of the common attack spaces and countermeasures (e.g., use of longer keys to resist brute force or trial-and-error attacks).

I've had this book for a while. It's vintage 2002 but with the exception of changes to Windows authentication systems from Server 2000 to 2003, I believe the material remains extremely accurate. If you must bone up on authentication systems, and are happy to forego the cryptoanalysis, you'll find this book a very useful and insightful read.

Archived at http://www.securityskeptic.com/arc20040801.htm#BlogID289 by Dave Piscitello  

I wrote earlier that I thoroughly enjoyed and recommended Stephen Lawhead's Celtic Crusades series - The Iron Lance, The Black Rood, and The Mystic Rose. I found several other Lawhead books fascinating, and recommend these as well:

• Avalon is a curious story of the return of Arthur Pendragon, in the modern millenium. Lawhead uses a Welsh prophesy - that Arthur will return to battle evil and that Avalon will rise again - as the basis for this tale. A The story switches millenia frequently, as the modern day Arthur recalls his loves and wars and wizardry. Merlin's in the modern day as well. Very different Arturian tale.

• Byzantium tells a tale of an Irish monk sent on a pilgrimage to present the Emperor of Byzantium with the Book of Kells. Like the Celtic Crusades, this book is weaves history, myth, and religion. In the narrative, the young monk relates his numerous adventures, misfortunes and unexpected encounters, a fall from grace and faith, and ultimately, his epiphany. Lawhead's always entertaining, but I think this book in particular is an outstanding accomplishment.

I've ordered the first three books of Lawhead's Pendragon Cycle, and hope to read these while camping later this month.

Archived at http://www.securityskeptic.com/arc20040601.htm#BlogID274 by Dave Piscitello  

I'm not a big "... for Dummies" book fan. Perhaps if they were "... for the self-deprecating but actually reasonably intelligent" I would feel better. The primary definition of "dummy" is actually silent or mute, so the titles offend me and are not PC. One last criticism about the title before I tell you why I recommend the book. The title ought to be Ethical Hacking for Dummies, since the author states at the outset that the book's not a training guide for mischief and malice.

On to the positive. The author, Kevin Beaver, takes a very broad and misunderstood topic and does a commendable job providing a training guide for testing networks for vulnerabilities. He covers the fundamentals of assessing networks, and computer systems for misconfigurations, missing patches, and flawed designs. He tackles the unenviable task of assessing multi-operating system security, covering Windows, Linux, and Novell NetWare. Kevin covers Wireless LANs and application security, two areas that deserve additional coverage. If you were to simply read the summary sections of each chapter and apply the recommended measures, you would undoubtedly improve your network security.

Kevin sets the bar for prior knowledge lower than I believe readers actually need in his *Foolish Assumptions*. He fails to mention that anyone who sets out to assess a network needs to know a good deal about Internet protocols. While it's true you can learn quite a bit by simply running some scanning tools and reading LAN analyzer output, this book isn't for the same audience that would purchase "World Wide Web for Dummies" or "Microsoft Office for Dummies". If you are keen on becoming an Ethical Hacker, become a protocol guru first. I still recommend Richard Stevens' TCP/IP Illustrated, a 1993 work of art that still in print and a living testimony to a special man who is sorely missed.

This is a good introductory book on Ethical Hacking published in a misleading genre. I suggest you buy the book, cover it with brown paper as we did in elementary school, and write "My First Book of Ethical Hacking".

Archived at http://www.securityskeptic.com/arc20040601.htm#BlogID269 by Dave Piscitello  

Scott Pinzon - colleague, editor and friend - sent an email to me in response to one of my blog digests. His comment:

"I am convinced you read other cool books besides security tomes. I, for one, would be interested in seeing you blog reviews of your favorite off-topic reads."

I enjoy science fiction and fantasy. I have recently been enjoying Stephen Lawhead, who writes historical fiction. His trilogy, The Celtic Crusades, describes the quests of three generations of a Scottish family to recover Holy Relics:

The Iron Lance, used by a Roman soldier to verify that Christ had died on the cross,

The Black Rood, a piece of the cross itself, and

The Mystic Rose, the Holy Grail, the cup used by Christ at the Last Supper.

If you enjoy rich vocabulary and descriptive narrative, you'll really enjoy Lawhead. Being an Anglophile, I also love the clever way Lawhead manages to relate the events of the Crusades.

Not satisfied with this trilogy, I also read Lawhead's Avalon, an amusing story about the reincarnation of King Arthur in modern day England. Perhaps the most enjoyable of all Lawhead's books is Byzantium. Byzantium is another fictional quest, this time relating a pilgrimage to present the Book of Kells to the Emperor of Byzantium. The plot is a familiar one in literature: a young man of faith suffers a succession of misfortunes, pain, and misery; feeling abandoned by God, he abandons God, but ultimately regains his faith through a remarkable sequence of events. I imagine Lawhead's story board for Byzantium was the most intricate of all his novels.

Archived at http://www.securityskeptic.com/arc20040301.htm#BlogID219 by Dave Piscitello  

Prentice Hall sent me a copy of Thomas Maufer's book, A Field Guide to Wireless LANs for Administrators and Power Users. Thomas Maufer presents all the material you'd expect from a book published in 2003 on a subject that's been in the tech limelight since the late 1990s. The book is very accurate and well-written, but not particularly inspiring. Maufer spends about 2/3s of the book covering the 802.11 protocols, standards and operation. This information is broadly available, and Maufer does a commendable job explaining engineering level details in a manner that will appeal to even the most general audience. Maufer performs packet dissection and analysis from captured WiFi traffic, a convention I use frequently because I feel it is more "real world" than standards regurgitation I've seen too often from William Stallings and company.

The remaining 1/3 of the book covers security and applications (deployment scenarios). The coverage on security is disappointing. Maufer does a good job covering the security features defined in 802.11 standards (WEP, user authentication including EAP...) and explains WEP's flaws brilliantly, but he doesn't cover the complementary security measures commonly recommended as "best practices". If you do buy this book, you should buy a complementary one to learn about securing wireless LANs, or read the dozens upon dozens of columns, white papers, and articles my partner, Lisa Phifer, has written on the subject.

Archived at http://www.securityskeptic.com/arc20040101.htm#BlogID195 by Dave Piscitello  

Book Review: The Myth of Homeland Security

Marcus Ranum's Myth of Homeland Security is a sobering and insightful look at the policies enacted following the September 11 attacks, and the bureaucracies responsible for their implementation and enforcement. Marcus subjects the U.S. Patriot Act, the Department of Homeland Security and its constituent organizations to a level of scrutiny few American and even world citizens have attempted. He describes how conflicting political agenda, personal ambition, empire building, and animosity rendered the Three Letter Agencies dysfunctional in the past, and how the DHS threatens to prolong rather than remedy the problem. He lambasts the press for its obsession with perpetuating fear, uncertainty and doubt; legislators, for pork-barrel legislation guaranteed passage as riders to the Patriot Act; security vendors and Beltway bandits for flaming fear with fans for profits. No party's left unscathed, and the book is a compelling read precisely for this reason.

Marcus relates stories of oversight, in-fighting, and fumbled handoffs between agencies, absurd and insipidly foolish behavior by the press, and self-serving actions by government agencies and legislators. You'll find reason to laugh in nearly every chapter, but if you are like me, the laughter will hint of irony and discomfort. Marcus leaves me unsettled, and re-kindles the same existential sense of vulnerability I felt as I watched the Twin Towers burn and collapse over and over and over on television from my hotel room in Atlanta, far from my family. He reminds us that we can never be 100% safe without sacrificing freedoms we enjoy and changing the ways we live and behave.

This is not a technology book. It's certainly not the kind of book that anyone familiar with Marcus Ranum's many contributions and remarkable accomplishments in the field of Internet Security would expect. But it's precisely the kind of "suffer no fools" analysis colleagues and close friends find most engaging and remarkable, and have come to expect. Myth of Homeland Security ranks high on my list of worthwhile and thought-provoking reads.

Archived at http://www.securityskeptic.com/arc20031101.htm#BlogID169 by Dave Piscitello  

Matthew Liotine's new book, Mission Critical Planning will be released shortly.

My Foreword is available here, and now.

This is an excellent book, and provides very practical and useful advise for anyone involved in business, network, and services continuity planning. I reviewed every chapter, and refer to the pre-production manuscript still. I'm looking forward to receiving my copy soon.