Tracy R. Reed saw my call for book reviews, and he sent in his review of the book "Silence on the Wire: A Field Guide to Passive
Reconnaissance and Indirect Attacks", by Michael Zalewski. He'd put it on his blog a bit ago, but he'd like to share it with Groklaw. The book is available at Amazon.
"Silence On The Wire" by Michael Zalewski.
~ reviewd by Tracy R. Reed
At first glance, "Silence on the Wire: A Field Guide to Passive
Reconnaissance and Indirect Attacks" by Michael Zalewski does not look
like a book on computer security. All black, not too flashy. What are passive reconnaissance and indirect attacks anyway? But it's
from No Starch Press so it should be something cool. I would say this is
a different kind of computer security book. This book does not give you
the standard advice such as to avoid buffer overflows and turn off
unnecessary services, etc. It takes a more fundamental look at our
hardware, software, and protocols and examines the problem from the
lowest level working up.
The book basically focuses on how to get
information out of a system in ways the designers did not anticipate,
not through any sort of brute force "hacking" (in the negative sense of
the word) but by much more subtle means, such as observation from a
distance without ever letting the target know what is going on, through
the use of various sorts of data leaks and covert channels. Information
is an interesting thing. Lack of information is indeed information
itself. All of these things are examined and explained.
The book consists of 18 chapters and 281 pages, and I think that is just
the right length to cover some of the more interesting ground that
others have not covered a thousand times before. Rather than summarize
the book let me tell you about a few of the parts that I found interesting.
The information presented on timing attacks and entropy etc. was all
very interesting, but then in chapter 2 we encounter around 20 pages
about boolean logic, logic gates, basic machine architecture etc. This
information, while interesting, left me wondering where the author was
going with all of this. Twenty pages is a bit long to leave the reader in
the dark. We ultimately find out how the hardware relates to timing
attacks and computational effort analysis.
I found the in-depth discussion of the OSI model and the byte-level
dissection of the various protocols that make up the protocol stack in
our networks to be very interesting. I have read Richard W. Steven's book
on networking (a long time ago) but this was a very nice review. During
the explanation of the various protocols and layers we learn a few
things about the quirks of each of these layers and how they can reveal
information. We find out how the RFC's (the standards which specify the
protocols/languages which computers use), while specific enough to allow
different machines to talk to each other, are often not completely
without ambiguity and leave room for variance in the various different
implementations. These variances can be observed and used to determine
what OS a machine is running among other things.
Page 109 in chapter 8 is particularly interesting to me. Imagine my
surprise when, just sitting in bed reading along one night, I came
across my own name in a computer security book! It turns out the author
ran across my work in "war-flying" back in 2002 and found it interesting
enough to include in his book.
During the section discussing TCP we learn about TCP sequence numbers
and the need for solid entropy in their generation. Some pretty pictures
are presented which show the probability distribution of the generated
TCP sequence numbers for various different OS's. I remember seeing these
pictures and reading the paperback in 2001 when the author first
published them. You can actually determine what OS a machine is running
by looking at a picture of the distribution of the TCP sequence numbers
it generates. This relates back to the passive OS fingerprinting. The
TCP specification says sequence numbers are to be used but says nothing
about what algorithm to use to generate them.
Overall I found the book quite satisfying, and it clued me into a number
of areas of information leakage that I had not been aware of and
techniques which can be used to exploit them. I liked how the author
presents several real-life stories from his own personal experience
where something very strange and interesting was discovered. This is the
only real computer security book I own. Most other books just seem too
cheesy or unoriginal or out-of-date to bother with. This book is not
only original but it focuses on fundamental ideas that will continue to
be valid for many years to come.
A little info on Tracy Reed. Also on Google and an essay on why he likes Linux.