United States
Web App Attacks: Sneaking in the Front Door
WatchGuard Technologies, Inc.
WatchGuard Technologies, Inc.
ProductsPartnersSupportAbout UsHow to BuySearchProfile
 
Products  

Security Articles

Video Tutorials

WatchGuard Feeds

WatchGuard Wire

Radio Free Security

White Papers

Case Studies

Network Security Glossary

WatchGuard Wire
Improve Your Security IQ

Book review: Silence on the Wire reveals exotic security attacks

Do you consider yourself an ubergeek? Have you ever disassembled an expensive piece of high-tech gear simply to learn what makes it tick? Do you spend your spare time crafting LEGO logic gates? If you're nodding enthusiastically, you'll probably enjoy reading Michal Zalewski's Silence on the Wire: a Field Guide to Passive Reconnaissance and Indirect Attacks.

In Silence on the Wire, Zalewski, a self-educated and well-regarded security researcher, unveils many obscure, complex security problems built right into today's networking and computing technology. His book skips the well-known vulnerabilities that we hear about every day, in order to focus on lesser-known design flaws that might allow patient attackers to silently steal your computer's secrets.

In each chapter, Zalewski generally begins by describing technologies seemingly unrelated to security, only to reveal unexpected connections later -- some of them dire. For example, you've probably never imagined that the method your computer uses to generate pseudo-random numbers poses any risk to you or your computer. Zalewski shows how this one process could allow an attacker to predict what you type, based on the timing of your keystrokes. Other chapters introduce similarly exotic issues, such as how attackers can "fingerprint" your computer without even connecting to it, or how an eagle-eyed attacker (with a little electronic help) can read your network's traffic simply by watching the blinking lights on your DSL modem.

In a refreshing departure from most technical books, Zalewski lightens Silence on the Wire's sometimes abstruse technical content with anecdotes and insightful histories on the different subjects he covers. He injects dry humor throughout his book. How well this holds your interest will vary from reader to reader, because in order to explain the more esoteric computing problems he discusses, Zalewski explores diverse subjects (electronics, statistical analysis, mathematics...) in extreme, often painstaking, detail. Impatient readers expecting Zalewski to simply describe a problem and how to fix it might find themselves frustrated mid-chapter, wondering, "What's the point?"

If you expect to learn about practical security flaws that affect you today, you won't find many in Silence. Though it accurately describes offbeat yet real security problems, exploiting these flaws would demand enough effort from an attacker to rank the risk closer to "theoretical" than "practical." In order to leverage many of the security flaws Zalewski exposes, an attacker would first have to gain local access to your computer or network, or at least be able to monitor all the communications between two computers for extended periods of time. So, yes, an attacker could go to elaborate means to figure out what you type -- but if he had access to your computer, wouldn't he simply pop in a keystroke logger? Even the few attack scenarios in the book that don't require extra access either take extreme patience and focus to leverage, or pose only marginal risk.

But clearly, Zalewski does not intend Silence as a practical security guide. Its value lies more in its process of discovery than the discoveries themselves. In his introduction, Zalewski says he wants to teach you that the only way to understand the Internet's security implications is by exploring its technologies in detail and reading between the lines. Silence demonstrates how to look at things in a new light and find connections that aren't immediately obvious: not only thinking outside the box, but twisting the box, shaking it, and finding a way to exploit it.

Whether or not you'll enjoy Silence probably depends on what you expect from a security book. If you're a busy IT administrator who wants the straight-up scoop on today's urgent security problems and how to fix them, look elsewhere. However, if you enjoy thinking about technology (for example, if you liked Neal Stephenson's technical digressions in Cryptonomicon and the Baroque Cycle), Silence on the Wire is the heady brew for you. If you're a security professional or a self-described geek who loves to learn new things and prefers taking the long route home just to enjoy the scenery, Silence on the Wire provides great mental stimulation while offering a rare glimpse into the thought process of a good old-fashioned classic hacker. -- Corey Nachreiner

Copyright© 2010 WatchGuard® Technologies, Inc. You may copy and distribute this article freely in any medium as long as you copy and distribute the entire article without change and preserve this copyright statement and notice.