Forgot your password?
typodupeerror

+ - Book review: Bulletproof SSL and TLS

Submitted by benrothke
benrothke (2577567) writes "Bulletproof SSL and TLS: Understanding and Deploying SSL/TLS and PKI to Secure Servers and Web Applications

Author: Ivan Ristic

Pages: 530

Publisher: Feisty Duck

Rating: 10/10

Reviewer: Ben Rothke

ISBN: 978-1907117046

Summary: Tremendous guide on how to correctly deploy TLS by one of the top experts in the field



If SSL is the emperor's new clothes, then Ivan Ristic in Bulletproof SSL and TLShas shown that perhaps the emperor isnt wearing anything at all. There is a perception that if a web site is SSL secured, then it's indeed secure. Read a few pages in this important book, and the SSL = securitymyth is dispelled.



For the first 8 of the 16 chapters, Ristic, one of the greatest practical SSL./TLS experts around, spends 230 pages showing countless weaknesses, vulnerabilities, attacks and other SSL weaknesses. He then spends the next 8 chapters showing how SSL can, if done correctly, be deployed to provide adequate security.



Ristic is the author of the SSL Labs web site; a site dedicated to everything SSL, including extensive documents and tools.



One would think that it's impossible to write an interesting book about a security protocol. But for those who use SSL or just want to understand what it's all about, the book is not only quite practical, but a very interesting read.



The book provides a good balance of overview, protocol details, summary of vulnerabilities and weaknesses, and a large chunk of practical deployment guidance.



The first three chapters provide an excellent overview to SSL, TLS, PKI and cryptography. While chapter 2 may be a bit dry, the introduction is thorough and comprehensive.



Chapter 4 is particularly interesting in that the author notes that while the cryptography behind SSL and PKI is fundamentally secure, there is an inherent flaw in how PKI operates, in that any CA (certificate authority) is able to issue a certificate for any name without have to seek approval from the domain name owner. This trust dependency creates numerous attack vectors that can be exploited.



The chapter details a number of significant incidents that arose from this flaw, from the 2001 code signing certificate mistake; where Verisign mistakenly issued Class 3 code signing certificates to someone claiming to be a Microsoft employee, to the Flame malware, which was signed with a bogus certificate that was seemingly signed by Microsoft, to a number of other issues.



In chapter 5, the book details a number of HTTP and browser issues, and related TLS threats. Attacks such as sidejacking, cookie stealing, cookie manipulation and more are detailed.



The author wisely notes that cookies suffer from two main problems: that they were poorly designed to being with, allowing behavior that encourages security weaknesses, and that they are not in sync with the main security mechanisms browsers use today, namely same-origin policy (SOP).



The chapter also details a significant TLS weakness in that that certificate warnings generated often leaves the clueless user to make the correct decision on how to proceed.



Ristic writes that if you receive an alert about an invalid TLS certificate, the right thing to do is immediately abandon the connection attempt. But the browser won't do that. Browser vendors decided not to enforce TLS connection security; rather they push the problem down to the user in the form of a certificate warning.



The problem is that when a user gets a certificate warning error, they simply don't know what to do to determine how big of an issue it really is, and will invariably choose to override the warning, and proceed to the website.



The challenge the user face is that these certificate warning errors are pervasive. In 2010, Ristic scanned about 119 million domain names (.com, .net and .org) searching for TLS enables sites. He found that over 22 million or 19% of the sites hosted in roughly 2 million IP addresses. But only about 720,000 had certificates whose names matches the intended hostname.



The chapter also details that the biggest problem with security indicators, similar to the certificate warnings, is that most users don't pay attention to them and possible don't even notice them.



As valuable as the first half of the book is, its significance really comes alive starting in chapter 8 on deployment issues. The level of security TLS offers only works when it is deployed correctly, and the book details how to do that. Given that OpenSSL, which is the most widely used SSL/TLS library, is notorious for being poorly documented and difficult to use, the deployment challenges are a significant endeavor.



Another issue with TLS, is that it can create performance issues and chapter 9 provides a lot of insight on performance optimization. The author quotes research from Google that SSL/TLS on their email systems account for less than 1% of the CPU load, less than 10kb of memory per connection, and less than 2% of the network overheard. The author writes that his goal is to enable the reader to get as close as possible to Google's performance numbers.



SSL/TLS has a reputation for being slow, but that is more a remnant of years ago when CPU's were much slower. With better CPU's and the optimization techniques the book shows, there is no reason not to use TLS.



For those that want an initial look, the table of contents, preface, and chapter 1 are available here. Once you get a taste of what this book has to offer, you will want to read the entire book.



As noted earlier, OpenSSL is poorly documented. InBulletproof SSL and TLS, Ivan Ristic has done the opposite: he has written the most readable and insightful book about SSL/TLS to date. TLS is not so difficult to deploy, but incredibly easy to deploy incorrectly. Anyone who is serious about ensuring that their SSL/TLS deployment is effective should certainly read this book.





Reviewed by Ben Rothke"

+ - Book review: Countdown to Zero Day: Stuxnet and the Launch of the World's First

Submitted by benrothke
benrothke (2577567) writes "Countdown to Zero Day: Stuxnet and the Launch of the Worlds First Digital Weapon

Author: Kim Zetter

Pages: 448

Publisher: Crown

Rating: 10/10

Reviewer: Ben Rothke

ISBN: 978-0770436179

Summary: Outstanding narrative about Stuxnet — how it was developed, quarantined and debugged





A word to describe the book Takedown: The Pursuit and Capture of Americas Most Wanted Computer Outlaw was hyperbole. While the general storyline from the 1996 book was accurate, filler was written that created the legend of Kevin Mitnick. This in turn makes the book a near work of historical fiction.



Much has changed in nearly 20 years and Countdown to Zero Day: Stuxnet and the Launch of the Worlds First Digital Weaponhas certainly upped the ante for accurate computer security journalism.



The book is a fascinating read and author Kim Zetters attention to detail and accuracy is superb. In the inside cover of the book, Kevin Mitnick describes this as an ambitious, comprehensive and engrossing book. The irony is not lost in that Mitnick was dogged by misrepresentations in Markoff's book.



For those that want to know the basics about Stuxnet, its Wikipediaentry will suffice. For a deeper look, the book take a detailed look at how the Stuxnet worm of 2010 came to be, how it was written, discovered and deciphered, and what it means for the future and provides nearly everything known to date about Stuxnet.



The need to create Stuxnet was the understanding that a nuclear Iran was dangerous to the world. The book notes that it just wasn't the US and Israel that wanted a nuclear free Iran; Egypt and Saudi Arabia were highly concerned about the dangers a nuclear Iran would bring to the region.



What is eminently clear is that Iran chronically lied about their nuclear intentions and actions (chapter 17 notes that former United Kingdom Prime Minister Gordon Brown told the international community that they had to do something over Iran's serial deception of many years) and that the United Nations International Atomic Energy Agency (IAEA) is powerless to do anything, save for monitoring and writing reports.



Just last week, President Obama said a big gap remains in international nuclear negotiations with Iran and he questioned whether talks would succeed. He further said "are we going to be able to close this final gap so that (Iran) can reenter the international community, sanctions can be slowly reduced and we have verifiable, lock tight assurances that they cant develop a nuclear weapon, theres still a big gap. We may not be able to get there". It's that backdrop to which Stuxnet was written.



While some may debate if Stuxnet was indeed the worlds first digital weapon, it's undeniable that it is the first piece of known malware that could be considered a cyber-weapon. Stuxnet was unlike any other previous malware. Rather than just hijacking targeted computers or stealing information from them, it created physical destruction on centrifuges the software controlled.



At just over 400 pages, the book is a bit wordy at times, but Zetter does a wonderful job of keeping the book extremely readable and the narrative enthralling. Writing about debugging virus code, Siemens industrial programmable logic controllers (PLC) and Step7 software (which was what Stuxnet was attacking) could easily be mind-numbingly boring, save for Zetter's ability to make it a compelling read.



While a good part of the book details the research Symantec, Kaspersky Lab and others did to debug Stuxnet, the book doesn't have and software code, which makes it readable for the non-programmer. The book is technical and Zetter gets into the elementary details of how Stuxnet operated; from reverse engineering, digital certificates and certificate authorities, cryptographic hashing and much more. The non-technical reader certainly won't be overwhelmed, but at the same time might not be able to appreciate what went into designing and making Stuxnet work.



As noted earlier, the book is extremely well researched and all significant claims are referenced. The book is heavily footnoted, which makes the book much more readable than the use of endnotes. Aside from the minor error of mistakenly calling Kurt Gödel a cryptographer on page 295, he was a logician; Zetter's painstaking attention to detail is to be commended.



Whoever wrote Stuxnet counted on the Iranians not having the skills to uncover or decipher the malicious attacks on their own. But as Zetter writes, they also didn't anticipate the crowdsourced wisdom of the hive — courtesy of the global cybersecurity community that would handle the detection and analysis for them. That detection and analysis spanned continents and numerous countries.



The book concludes with chapter 19 — Digital Pandora — which departs from the details of Stuxnet and gets into the bigger picture of what cyber-warfare means and its intended and unintended consequences. There are no simple answers here and the stakes are huge.



The chapter quotes Marcus Ranum who is outspoken on the topic of cyber-warfare. At the 2014 MISTI Infosec World Conference, Ranum gave a talk on Cyberwar: Putting Civilian Infrastructure on the Front Lines, Again. Be it the topic or Marcus just being Marcus, a third of the participants left within the first 15 minutes. But they should have stayed, as Ranum, agree with him or not, provided some riveting insights on the topic.



The book leave with two unresolved questions; who did it, and how did it get into the Nantanz enrichment facility.



It is thought the US with some assistance from Israel created Stuxnet; but Zetter also writes that Germany and Great Britain may have done the work or at least provided assistance.



It's also unknown how Stuxnet got into the air-gapped facility. It was designed to spread via an infected USB flash drive. It's thought that since they couldn't get into the facility, what needed to be done was to infect computers belonging to a few outside firms that sold devices that would in turn be connected to the facility. The book identified a few of these companies, but it's still unclear if they were the ones, or the perpetrators somehow had someone on the inside.



As to zero day in the title, what was unique about Stuxnet is that it contained 5 zero day exploits. Zero day is also relevant in that Zetter describes the black and gray markets of firms that discover zero-day vulnerabilities who in turn sell them to law enforcement and intelligence agencies.



Creating Stuxnet was a huge challenge that took scores of programmers from a nation state many months to create. Writing a highly readable and engrossing book about the obscure software vulnerabilities that it exploited was also a challenge, albeit one that few authors could do efficaciously. InCountdown to Zero Day: Stuxnet and the Launch of the Worlds First Digital Weapon, Kim Zetter has written one of the best computer security narratives; a book you will likely find quite hard to put down.





Reviewed by Ben Rothke"

Comment: Re:Media Coverage of Risk (Score 1) 46

by benrothke (#48246735) Attached to: Book Review: Measuring and Managing Information Risk: a FAIR Approach

Bruce Schneier has a good essay on this topic - Virginia Tech Lesson: Rare Risks Breed Irrational Responses - https://www.schneier.com/essay...

He sums it up with novelty + dread = overreaction.

Ebola fits that. From a public heath perspective for the US, Ebola is for the most part a non-issue.

+ - Book review: Measuring and Managing Information Risk: A FAIR Approach

Submitted by benrothke
benrothke (2577567) writes "Measuring and Managing Information Risk: A FAIR Approach

Author: Jack Freund and Jack Jones

Pages: 408

Publisher: Butterworth-Heinemann

Rating: 10/10

Reviewer: Ben Rothke

ISBN: 978-0124078147

Summary: Superb overview to the powerful FAIR risk management methodology





It's hard to go a day without some sort of data about information security and risk. Researches from firms like Gartner are accepted without question; even though they can get their results from untrusted and unvetted sources.



The current panic around Ebola shows how people are ill-informed about risk. While distressing over Ebola, the media is oblivious to true public health threats like obesity, heart disease, drunk driving, diabetes, and the like.



When it comes to information security, is not that much better. With myriad statistics, surveys, data breach reports, cost of data breach: global analyses and the like, there is an overabundance of data, and an under abundance of meaningful data.



In Measuring and Managing Information Risk: A FAIR Approach, authors Jack Freund and Jack Jones have written a magnificent book that will change the way (for the better) you think about and deal with IT risk.



The book details the factor analysis of information risk(FAIR) methodology, which is a proven and credible framework for understanding, measuring, and analyzing information risk of any size or complexity.



An Open Group standard, FAIR is a methodology and a highly effective quantitative analysis tool.



The power of FAIR is immense: it enables the risk practitioner to make well-informed decisions based on meaningful measurements. While that seems obvious, in practicality, it is a challenging endeavor.



FAIR is invaluable in that it helps the risk professional understand the language that the corporate board and senior executives speak. Understanding that and communicating in their language can make it much easier for information security to be perceived as a valued asset, as opposed to using Chicken Little statistics.



FAIR takes the risk professional out of the realm of the dealing with risk via the checklist; which only serves to produce meaningless measurements, into the world of quantitative, defendable results.



For those that are looking for a tool to create pretty executive summary charts with lots of colors, FAIR will sorely disappoint them. For those that are looking for a method to understand how to calculate qualitative risk to support a formal enterprise risk management program, they won't find a better guide than this book.



The book is an incredibly good reference that will force you to look again at how you view risk management.



Jones writes in the preface that the book is not about checklists and formulas, but about critical thinking.



The authors note that information security and operational risk has operated for far too long as an art, with not enough science. This is the gap that FAIR attempts to fill.



The authors write that risk decision making quality boils down to the quality of information decision makers are operating from, and the decision makers themselves. The book does a remarkable job of showing how a person can become a much better decision maker.



A subtle but important point the book makes early on is that many risk professionals confuse risk possibilities with risk probabilities. The FAIR method forces you to focus on probabilities and not to obsess with Ebola like possibilities. Such a quantitative analysis approach is what makes FAIR so beneficial.



The book spends a few chapters on going through FAIR risk ontology and terminology. Inconsistent and poorly defined terminology is one of the most significant challenges the information security and operational risk profession faces. Having a consistent set of logical terms and definitions that make up the FAIR framework significantly improves the quality of risk relations communications within an organization.



The value of having a consistent set of logical terms and definitions is significant. For example, the book notes that many people use the term threat. In the context of risk analysis, it might not be a real threat if there is no resulting loss. In that case, it would be considered a vulnerability event.



The challenge of FAIR is acclimating to its dialect. But once done, it creates an extremely powerful methodology for risk communication and management. And therein lays its power. Setting up a common framework for risk management becomes and invaluable tool to present risk ideas. In addition, it makes the findings much more objective and defendable.



In chapter 5, the authors address the biggest objections to quantitative risk management that it can't be measured or is simply unknowable. They agree that risk can't be measured at the micro level, but it canbe effectively measured to the degree to reduce management's uncertainly about risk.



They also importantly note that risk is a forward-looking statement about what may or come to pass in the future. With that, perfect accuracy is impossible; but effective quantitative risk management is very possible.



The power of FAIR is that is helps add clarity to ambiguous risk situations by giving you the tools to add data points to a situation that is purported to be unknowable.



Chapter 8 is an extremely enlightening chapter in that it provides 11 risk analysis examples. The examples do a great job of reinforcing the key FAIR concepts and methods.



In chapter 10, the authors write that the hardest part of learning FAIR is having to overcome bad habits. For most people, FAIR represents a recalibration of your mental model about what risk is and how it works. The chapter deals with common mistakes and stumbling blocks when performing a FAIR analysis. The 5 high-level categories of mistakes the chapter notes are: checking results, scoping, data, variable confusion and vulnerability analysis.



FAIR is a powerful methodology that can revolutionize risk management. The challenge is that it takes a village to make such a change. Management may be reticent to invest in what is perceived as yet another risk management framework.



But once you start using the language of FAIR and validate your findings, astute management will likely catch on. Over time, FAIR can indeed be a risk management game changer.



The book is flawless in its execution and description of the subject. The only critique is that in that the author's should have been a bit more transparent in the text when (especially in chapter 8) mentioning the FAIR software, in that it is their firm that makes the software.



For those that are willing to put in the time to understanding FAIR, this book it will make their jobs much easier. It will help them earn the trust of senior management, and make them much better risk management professionals in the process.







Reviewed by Ben Rothke"

Comment: Re:The cloud (Score 1) 75

by benrothke (#47858073) Attached to: Book Review: Architecting the Cloud

::::First and foremost, the cloud is not in any way shape or form secure.Any thing you put there is there to share.

It’s as secure as you want to make it.

Many firms that take security seriously use the cloud. :::::Second, it is a buzzword that is used to get gullible suits to think that they can get rid of their IT depatments.

You do have a good point there.

Comment: Re:More details please... (Score 1) 75

by benrothke (#47858039) Attached to: Book Review: Architecting the Cloud

:::::Will an experienced admin (20+ years *NIX) that's currently using RackSpace (dedicated and cloud) learn anything from this book? It's so hard to tell from this review.

I think so. :::I've been using RackSpace for a few months now and I find that it's not much different than hosting the servers myself except I don't have to deal with things like router/switch configuration and hardware replacements.

From a hosting and sys admin perspective, it is not a radical difference.

But from a cloud application perspective, there is a lot to learn.

Comment: Re:a solution in search of a problem (Score 1) 75

by benrothke (#47857947) Attached to: Book Review: Architecting the Cloud

:::entrust their data to some unknown and unmonitored external entity such as the 'cloud'.

Do you really consider Amazon Web Services unknown and unmonitored?

The granularity of what they can report on shows their monitoring capabilities are quite sophisticated. :::Until that time, safe and productive cloud computing is just a fantasy. It's a solution in search of problem. Avoid it.

I think the facts speak for themselves. There are thousands of examples of safe and productive instances of cloud computing,

But there are also tens of thousands of examples of insecure and unproductive instances of cloud computing,

"You need tender loving care once a week - so that I can slap you into shape." - Ellyn Mustard

Working...