For Christmas, Valorie got me a copy of Michal Zalewski’s “Silence on the Wire“. I have a fair amount of respect for Michal as a security researcher, he’s done some realy interesting stuff, so I was looking forward to reading it (I have no idea where Valorie found it, I didn’t even realize the book existed).
“Silence on the Wire” describes itself as “a Field Guide to Passive Reconnaissance and Indirect Attacks” (I know that because it’s on the front cover of the book). In it, Michal discusses Information Disclosure vulnerabilities and the various ways that information can leak out from a system, even when that system is protected by a firewall. He also discusses (although not in as much detail) ways that you can mount indirect attacks against a host.
I finished it a while ago, and found it “interesting”. Overall, it was a reasonably enjoyable read, but I have to be honest and say that I’m not really sure that the book actually met the discription on the cover. There were also several mysterious (to me) diversions during the course of the book.
For instance, Chapter 2 starts with a huge discussion about how von Neumann computers work, including how memory gates are assembled, etc. While The end of the chapter discusses a way of of using detailed timing analysis to as a covert channel to detect information leaking from sensitive calculation. The hardware discussion was interesting stuff, I’m not sure why it needed to be in a book on passive analysis (and realistically, Charles Petzold did a better job of it in his book “Code“).
There are similar digressions throughout the book (although none as notable as this one).
One of my favorite portions of the book was the one with the pretty pictures ;). In it he discusses a fascinating analysis of the pseudo random number generator that’s used to generate TCP/IP sequence numbers. He showed a series of pictures and some analysis for a series of operating systems, ranging from good to not so good. I do wish he had used more up-to-date operating systems in his analysis, the book was printed in 2005, but he uses examples from Mac OS 9, and Win98 and NT4, and none from Win2K3, or OS X.
Some of my problems with the book are:
While he does a good job pointing out ways information can leak out, he doesn’t really provide ways of mitigating the flaws. That’s a shame, because it limits the usefulness of the book IMHO.
In addition, he doesn’t go back and discuss how vendors have responded to vulnerabilities. A good example of this is his discussion of the GUID. As originally designed, GUIDs were tied to a particular network adapter, and Michal discusses some of the issues associated with this. However, starting in Windows 2000, all UUIDs created no longer have this association with the hardware, he never mentions that fact.
This latter issue means that even if a vendor responded and removed a potential vulnerability, a reader won’t know about it, which is a shame, because it leads the user to believe that there are unaddressed security issues in the vendors product.
Overall, I enjoyed reading the book, I found much of the information presented to be fascinating (and a bit scary).