REVIEW: Silence on the wire
This is a belated review of Silence on the wire by Michal Zalewski - I read the book a while ago so this is from memory but I enjoyed this book a lot so I wanted to review it. This is book about passive security attacks - instead of actively accessing a system and its information, passive attacks are about capitalizing on information leakage. As such there aren't really any cookbook examples that you can extrapolate from - every case is wildly different. I found the book was more useful for getting you to think about systems in a differnt way to be able to secure them (or attack them I suppose) better. The book breaks the attacks into 4 classes based on the level of access to the system: The Source (Local Machine attacks), Safe Harbor (Intranet attacks), Out in the Wild (Internet attacks) and The Big Picture (attacks against the whole system). The book does a fairly good job of back-filling information you will need to understand the attacks it describes although I found myself needing to refresh my memory about some of the deep details of TCP.
Local machine attacks: This section describes passive attacks when the attacker has access (network or physical) to your machine. The book starts with a desciption of different ways of generating random numbers and how this can be exploited if you have access to the system by exhausting the random number supply - the new random number has to come from some where and (at least in the systems that Zalewski studied) the numbers are partially generated from the keyboard. The authors then describe statistical methods for guessing passwords from the keyboard timing data.
A recurring theme in the book is describing how things work at a very low level (for example a fairly low level description of how microprocessors work starting from boolean algebra) - a necessary prerequisite in attacking any system is having a good understanding of how it works. The book then describes TEMPEST (i.e. electromagnetic radiation from systems) leakage from systems and how it can be exploited.
Intranet attacks: This section deals with attacks that can occur remotely but require some kind of proximity access to the victim. It starts with an analysis of information leakage from the blinking LEDs on networking switches - again Zalewski determined that it could be used on the hardware he tested but it's less clear if it's true for networking hardware in general. The take away is thinking about unconventional avenues of information leakage and how to analyze the thread model (some researchers recently found that you could swipe passwords from the sounds of the keys being typed using a similar model).The authors then describe some historical attacks of Ethernet (chilling!) and describe how network / modems work at the wire level and some interesting attacks of this. Internet Attacks: The bulk of the book describes various weaknesses in the IP protocol - there is a fairly extensive description of how TCP and UDP works although you will most likely want to have some supplemental information as I noticed some gaps in the description. Zalewski is the author of a passive fingerprinting tool (called p0f) - it identifies systems based on the "fingerprint" of their TCP implementation. TCP is sufficiently complicated that various implementations (and different versions of those implementations) can be identified by how they respond to specific requests. Fingerprinting a system is a prerequisite for knowing how to exploit bugs and weaknesses in the TCP implementation. There is a fair amount of coverage of how to determine the TCP sequence numbers (to inject packets into a connection) using some interesting time series graphing techniques. The authors describe some ways of determining how many hops away a machine is and a detailed discussion of the differences between stateful and stateless firewalls. They then go into various ways that firewalls and the systems behind them can be probed and identified - all backed with clever real world examples. For example, there is an interesting example of how HTTP ETags can be used to track users even when they have disabled browser cookies. Neat! The Big Picture: This section is a little more ill defined - attacks against the internet in general rather than a specific user. It covers topics like using parasitic storage using the internet at large by using temporary packet storage by network devices - kind of juggling of data. There is also some discussion of tracking physical user location using network topology. I really enjoyed this book although reading some sections required a bit of effort - the book is not as polished as most O'Reilly books - but the content makes it worth it. The book contains interesting real world examples for most of the issues it raises - without them the reader might be tempted to think some of these problems were theoretical. The take away from the book is that the delusions under which a lot of people labor - firewalls will protect me! no browser cookies means I can't be tracked! - are not as true as you hope.