Wednesday, August 3, 2011

Book Review: Surveillance Or Security?

"Surveillance or Security?: The Risks Posed by New Wiretapping Technologies is a hard book to categorize. It is not about security, but it deals extensively with it. It is not a law book, but legal topics are pervasive throughout. It is not a telecommunications book, but extensively details telco issues. Ultimately, the book is a most important overview of security and privacy and the nature of surveillance in current times." Read below for the rest of Ben's review.
Surveillance or Security?: The Risks Posed by New Wiretapping Technologies
author Susan Landau
pages 360
publisher MIT Press
rating 10/10
reviewer Ben Rothke
ISBN 9780262015301
summary Definitive text on the topic of surveillance, security and privacy read.
Surveillance or Security? is one of the most pragmatic books on the topic in that the author never once uses the term Big Brother. Far too many books on privacy and surveillance are filled with hysteria and hyperbole and the threat of an Orwellian society. This book sticks to the raw facts and details the current state, that of insecure and porous networks around a surveillance society.

In this densely packed work, Susan Landau, a fellow at the Radcliffe Institute for Advanced Study at Harvard University details the myriad layers around surveillance, national security, information security and privacy. Landau writes that her concern is not about legally authorized law enforcement and nationally security wiretapping; rather about the security risks of building surveillance into communications infrastructures.

Landau details numerous reasons why communications security is hard to do right; but an imperative for our ultimate security, privacy and digital wellbeing.

In 250 pages, Landau makes a compelling case. In addition to her superb handle on the topic, the book has over 80 pages of footnotes, where everyquote, statement and claim is verified and confirmed. The book is a great launching pad for a much deeper analysis on the topic.

The main theme of the book is that digital communications have revolutionized the way in which society interacts. The Internet is now the lifeblood of many businesses and governments, including a significant part of our critical infrastructure. The fact that this infrastructure lacks comprehensive security and privacy controls are a troubling concern.

In 11 dense chapters, Landau notes that since security and privacy have not been fully integrated into this infrastructure; this leaves us exposed and vulnerable to cyberattacks.

In the introduction, Landau notes that with this new computing and telecommunications paradigm, the job of law enforcement has become much more challenging. In previous years, surveillance was relatively easy. Once law enforcement had physical access to a phone line, they were in. Today, with cell phones, VoIP, Internet cafes, anonymizing services and more, the dynamics have changed and this has caused quite a shock for law enforcement; who are often struggling to deal with this new paradigm.

Landau notes that the surveillance and eavesdropping technologies that have been deployed since 9/11 are being used to catch one set of enemies. But other antagonists may be posed to turn these tools against us, and we are putting into place something for our enemies to use that they could not afford to do on their own. As to this and other difficult questions that Landau brings up; there are no simple answers.

Chapter 3 — Securing the Internet is Difficult — notes that the original creators of TCP/IP did not have security in their design. Their concerns were more along the lines of traffic breakdowns, packet loss, robustness and more; but not security and privacy. In some ways, this may be been a blessing, as Dennis Jennings, who ran the NFSNET; states that "had we known what was to come, we'd have been terrified and the Internet would never have happened.

In chapter 5 — The Effectiveness of Wiretapping– Landau notes that the biggest use of wiretapping tools is not actually the capture of conversation. But something that is not really wiretapping at all: the capture of transactional information.

Chapter 7 – Who are the Intruders? What are They Targeting?– is one of the best chapters in the book. Landau details both the internal threat and industrial espionage, and it is not a pretty picture. Landau provides numerous cases where nation-states used networks, rather than people to infiltrate US interests, governmental, industrial and scientific areas. She notes that these insider attacks are often the most difficult to detect; the reason being that insiders know the systems, know where the important data is, and what the auditors are looking at. This ultimately makes insiders attack particularly pernicious.

So how significant are nation-states infiltrating US networks? Landau quotes a confidential government source that the NASA network was "completely open to the Chinese".

Landau makes her message loud and clear in chapter 8 when she notes that it does not help to tell people to be secure; rather security must be built into their communications systems. Security must be ubiquitous, from the phone to the central office and from the transmission of a cell phone to its base station to the communications infrastructure itself.

In chapter 9 – Policy Risks Arising from Wiretapping – Landau details how deep packing inspection (DPI) is used by ISP's. It is the ISP's who have the capability to know what you are browsing, what your email says, your VoIP conversation and much more. In a short amount of time, the ISP can develop a dossier on the user, and as noted, it has the ability to amass data to an amount that the Stasi could only dream of. This surveillance ability is what is most troubling to the author.

Landau continues that the only way for a person to avoid the risk from ubiquitous uses of DPI by an ISP would be to encrypt everything. While not completely done now, Gmail and Skype do bulk encryption.

The book closes with chapter 11 – Getting Communications Security Right– and there are no easy answers. Landau notes that across the globe, there are projects on clean-slate network architectures. But our current infrastructure is quite insecure and porous.

Surveillance or Security?: The Risks Posed by New Wiretapping Technologies is an extremely important book on the topic of the many risks posed by new wiretapping technologies. Landau has the remarkable talent of taking very broad issues and detailing them in a concise, yet comprehensive manner. The book should be seen as the starting point for discussion on a most important topic.

Landau does an excellent job of detailing how unwarranted surveillance can undermine security and affect our rights, while noting that security for every citizen is paramount to the very spirit of the Constitution.

The book closes with the very principles of what it means to get communications security rightand that adhering to these principles cannot guarantee that we will be completely secure. But failure to adhere to them will guarantee that we will not.

As to Surveillance or Security?: The Risks Posed by New Wiretapping Technologies, required reading it is, but that term does not do justice to the importance of this book. Simply put, this book is the definitive text on the topic and it is a title that needs to be read.

Reviewer Ben Rothke (@benrothke) is the author of Computer Security: 20 Things Every Employee Should Know

You can purchase Surveillance or Security?: The Risks Posed by New Wiretapping Technologies from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

*

http://books.slashdot.org/story/11/07/08/1152237/Book-Review-Surveillance-Or-Security

Sagar Marepally: Book Review: Cyber Warfare

Sagar Marepally: Book Review: Cyber Warfare

Book Review: Cyber Warfare

"The authors, Steve Winterfield and Jason Andress, cover everything you will want to consider when thinking about how to use cyberspace to conduct warfare operations. The primary concepts have been bouncing around US military circles for over a decade but they have never been collected into one tome before. Clarke and Knake's book, Cyber War: The Next Threat to National Security and What to Do about It, discusses how weak the US network defenses are and offers suggestions about how to improve. Carr's book, Inside CyberWarfare: Mapping the Cyber Underworld, presents threat examples and nation state capabilities. Libicki's book, Cyberdeterrence and Cyberwar, attacks cyberwar from a policy viewpoint and does not really address operational considerations. Stiennon's book, Surviving Cyberwar, is a good place to start if you are new to the subject and is almost a prerequisite for this book." Read on for the rest of raceBannon's review.
Cyber Warfare: Techniques, Tactics and Tools for Security Practitioners
author Jason Andress and Steve Winterfield
pages 289
publisher Syngress
rating 10
reviewer raceBannon
ISBN 1597496375
summary A consolidation of the current thinking around the topic of cyber warfare.
Although the content has been around for a while, it is striking how little the main concepts have changed. In a world where new innovations completely alter the popular culture every eighteen months, the idea that Cyber Warfare's operational principals remain static year after year is counter-intuitive. After reading through the various issues within though, you begin to understand the glacial pace. These difficult concepts spawn intractable problems and the authors do a good job of explaining them.

I do have a slight issue with the subtitle though: "Techniques, Tactics and Tools for the Security Practitioners." The way I read this book, the general purpose (GP) Security Practitioner will not find this book very useful except as background information. Aside from the chapters on Logical Weapons, Social Networking and Computer Network Defense, most of the material has to do with how a nation state, mostly the US, prepares to fight in cyber space. There is overlap for the GP security practitioner, but this material is covered in more detail in other books.

The book is illustrated. Some of the graphics are right out of military manuals and have that PowerPoint Ranger look about them. Some are screenshots of the various tools presented. Others are pictures of different equipment. One graphic stood out for me in the Cyberspace Challenges chapter (14). The graphic in question is a neat Venn Diagram that encapsulates all of the Cyber Warfare issues mentioned in the book, categorizes the complexity of each issue and shows where they overlap in terms of Policy, Processes, Organization, Tech, People and Skills. My only ding on the diagram is that in the same chapter, the authors discuss how much each issue might cost to overcome. It would have been very easy to represent that information on the Venn diagram and make it more complete.

One last observation about the graphics that I really liked is the author's use of "Tip" and "Note" boxes throughout the book. Scattered throughout the chapters are grayed-out text boxes that talk about some technology or procedure that is related to the chapter information but not directly. For example, in the Social Engineering chapter (7), the authors placed a "Note" describing the various Phishing forms. You do not need the information to understand the chapter but having it nearby provides the reader with a nice example to solidify the main arguments. The book is full of these examples.

The first three chapters are my favorites. Winterfield and Andress do agood job of wrapping their heads around such entangled concepts as the definition of cyber warfare, the look of a cyber battle space and an international view of current doctrine It is fascinating.

In the middle of the book, the authors take on the task of describing the Computer Network Operations (CNO) Spectrum; a spectrum that ranges from the very passive form of Computer Network Defense (CND) through the more active forms of Computer Network Exploitation (CNE) and Computer Network Attack (CNA). It is indeed a spectrum too because the delineation between where CND, CNE and CNA start and stop is not always clean and precise. There is overlap. And somewhere along that same spectrum is where law enforcement organizations and counter-intelligence groups operate. You can get lost fairly quickly without a guide and the authors provide that function admirably. The only thing missing from these chapters is a nice diagram that encapsulates the concept.

Along the way the reader gets a nice primer on the legal issues surrounding Cyber Warfare, the ethics that apply, what it takes to be a cyber warrior and a small glimpse over the horizon about what the future of Cyber Warfare might bring. In the end, Winterfield and Andress get high marksfor encapsulating this complex material into an easy-to-understand manual; a foundational document that most military cyber warriors should have at their fingertips and a book that should reside on the shelf of anybody interested in the topic.

Full Disclosure: One of the authors, Steve Winterfield, used to work for me when he and I were both in the US Army wrestling with all of these ideas right after 9/11. I ran the Army Computer Emergency Response Team (ACERT) and Steve ran the Army's Southern Regional CERT (RCERT South). He and I have been friends ever since and he even quoted me in one of the back chapters.

You can purchase Cyber Warfare: Techniques, Tactics and Tools for Security Practitioners from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

*

http://books.slashdot.org/story/11/07/20/1859217/Book-Review-Cyber-Warfare

Facebook To Pay Hackers For Bugs

"Facebook is going to pay hackers to find problems with its website — just so long as they report them to Facebook's security team first. The company is following Google and Mozilla in launching a Web 'Bug Bounty' program. For security related bugs — cross site scripting flaws, for example — the company will pay a base rate of $500. If they're truly significant flaws Facebook will pay more, though company executives won't say how much. 'In the past we've focused on name recognition by putting their name up on our page, sending schwag out and using this an avenue for interviews and the recruiting process,' said Alex Rice, Facebook's product security lead. 'We're extending that now to start paying out monetary rewards.'"

PayPal Hands Over 1,000 IP Addresses To the FBI

"PayPal was attacked by Anonymous last year when they had blocked the Wikileaks accounts transactions. Now PayPal has finally come up with enough evidence to strike back at Anonymous with the help of the FBI. PayPal has come up with a list of over 1,000 IP Addresses left behind when they were attacked by Anonymous."
http://it.slashdot.org/story/11/07/31/122235/PayPal-Hands-Over-1000-IP-Addresses-To-the-FBI

Windows XP PCs Breed Rootkit Infections

"Machines running the decade-old Windows XP make up a huge reservoir of infected PCs that can spread malware to other systems, a Czech antivirus company said. Windows XP computers are infected with rootkits out of proportion to the operating system's market share, according to data released Thursday by Avast Software, which surveyed more than 600,000 Windows PCs. While XP now accounts for about 58% of all Windows systems in use, 74% of the rootkit infections found by Avast were on XP machines. Avast attributed the infection disparity between XP and Windows 7 to a pair of factors: The widespread use of pirated copies of the former and the latter's better security. Vlcek assumed that many of the people running XP SP2, which Microsoft stopped supporting with security patches a year ago, have declined to update to the still-supported SP3 because they are running counterfeits."
http://it.slashdot.org/story/11/07/31/1356217/Windows-XP-PCs-Breed-Rootkit-Infections

How Face Recognition Can Uncover SSNs

"Building on previous work showing that social security numbers are not random, CMU researchers ran experiments in which they predicted students' social security numbers after taking a photo of them with a cheap webcam. Using off-the-shelf facial recognition technology and data-mining publicly available Facebook photos and profile information, they were able to come up with the social security numbers of several of the students. (More impressive, as they note that 60% of the students were foreign, and had no SSNs, leaving them a pool of less than 50)."http://yro.slashdot.org/submission/1743378/How-Face-Recognition-Can-Uncover-SSNs