Friday, April 15, 2005

Curing Critical Security Flaws: Black Hat Physical Device Security by Drew Miller


Hardly a week goes by without an announcement of computer security broken by hackers (most recently, today, as Microsoft announced again that "five new "critical"-rated security flaws in its Windows, Internet Explorer, Word and Messenger software programs... could allow attackers to take control of a personal computer.") For IT professionals, these crucial system flaws represent the software side of an open door into their companies' secure information.

But we seldom hear about the flip side of system security; software is not the only pathway into a computer system. In Black Hat Physical Device Security, independent security consultant and lecturer Drew Miller describes how to close the open doors of mechanical protection and physical devices surrounding the servers and data storage of a software-secure system.

Miller's approach is a mixture of anecdotal and technical explanation that reads like one of his very entertaining and informative lectures. He opens by describing a triumph in a "hacking contest" put on at a conference he attended, in which the challenge was to hack into one of the Unix conference servers at the hotel. While his opponents worked through the network connections, Miller and an accomplice simply walked down the hall to the server room. As Miller distracted the guard, his accomplice hunted for a server with no password assigned to its "root" superuser. Finding one, he quickly created a text file on the server, and won the contest.

The moral (guard the people doors as diligently as the Internet portals) is carried throughout the book. Miller extends this paradigm to a host of computer security topics, including software and data security. Topics include:
  • Dealing with inherited security problems
  • Enhancing information security (encoding and hashing information, credential authentication)
  • Mitigating exposure once it occurs
  • Monitoring software exposure (why protection is better than detection)
  • Finding and patching cracks in hardware security
  • Authenticating people (why fingerprints are inherently insecure as passwords)
  • Detecting deviations (is it live or is it Memorex?)
  • Notifying systems
One of the most fascinating things in the book (from the perspective of one who is not responsible for an entire corporate network) is the detail Miller goes into regarding cryptography. In Chapter 3, he details generation of random-number cryptography keys, and gives some pointers about when it is appropriate to invest the time in cryptography. For other data-protection purposes, he recommends "hashing," and he includes a program to perform Fibonacci XOR encoding. (The book is loaded with such programs; this is only one of them.) Two of the three Appendices also cover factoring for prime numbers, used in encryption and decryption.

The information Miller provides is scattered throughout the book, despite the chapter organization. The chapter on monitoring software exposure, for example, contains tips on password authentication, input certification, and hardware exposure, even though it mainly is focused on determining where your system software leaves you vulnerable to hackers. Included is a wide-spread exposure to denial-of-service attacks that comes from setting your system to lock users out after a certain number of logins with a failed password!

This is crucial information for anyone whose business and reputation relies on the security of their computer system. In today's world, there is hardly an enterprise that does not fall into this category.


Please join us at BlogCritics to comment on this review.


Post a Comment

<< Home