Silence on the Wire: A Field Guide to Passive Reconnaissance and Indirect Attacks

Description:

Author Michal Zalewski has long been known and respected in the hacking and security communities for his intelligence, curiosity and creativity, and this book is truly unlike anything else out there. In Silence on the Wire: A Field Guide to Passive Reconnaissance and Indirect Attacks, Zalewski shares his expertise and experience to explain how computers and networks work, how information is processed and delivered, and what security threats lurk in the shadows. No humdrum technical white paper or how-to manual for protecting one's network, this book is a fascinating narrative that explores a variety of unique, uncommon and often quite elegant security challenges that defy classification and eschew the traditional attacker-victim model.

 

Tabel of Contents:

FOREWORD
by Solar Designer

INTRODUCTION
A Few Words about Me
About This Book

PART I: THE SOURCE
On the problems that surface long before one sends any information over the network

CHAPTER 1: I CAN HEAR YOU TYPING
Where we investigate how your keystrokes can be monitored from far, far away

The Need for Randomness
Automated Random Number Generation
The Security of Random Number Generators
I/O Entropy: This Is Your Mouse Speaking
Delivering Interrupts: A Practical Example
One-Way Shortcut Functions
The Importance of Being Pedantic
Entropy Is a Terrible Thing to Waste
Attack: The Implications of a Sudden Paradigm Shift
A Closer Look at Input Timing Patterns
Immediate Defense Tactics
Hardware RNG: A Better Solution?
Food for Thought
Remote Timing Attacks
Exploiting System Diagnostics
Reproducible Unpredictability

CHAPTER 2: EXTRA EFFORTS NEVER GO UNNOTICED
Where we learn how to build a wooden computer and how to obtain information from watching a real computer run

Boole's Heritage
Toward the Universal Operator
DeMorgan at Work
Convenience Is a Necessity
Embracing the Complexity
Toward the Material World
A Nonelectric Computer
A Marginally More Popular Computer Design
Logic Gates
From Logic Operators to Calculations
From Electronic Egg Timer to Computer
Turing and Instruction Set Complexity
Functionality, at Last
Holy Grail: The Programmable Computer
Advancement through Simplicity
Split the Task
Execution Stages
The Lesser Memory
Do More at Once: Pipelining
The Big Problem with Pipelines
Implications: Subtle Differences
Using Timing Patterns to Reconstruct Data
Bit by Bit...
In Practice
Early-Out Optimization
Working Code-Do It Yourself
Prevention
Food for Thought

CHAPTER 3: TEN HEADS OF THE HYDRA
Where we explore several other tempting scenarios that occur very early on in the process of communications

Revealing Emissions: TEMPEST in the TV
Privacy, Limited
Tracking the Source: "He Did It!"
"Oops" Exposure: *_~1q'@@... and the Password Is...

CHAPTER 4: WORKING FOR THE COMMON GOOD
Where a question of how the computer may determine the intent of its user is raised and left unanswered

PART II: SAFE HARBOR
On the threats that lurk in between the computer and the Internet

CHAPTER 5: BLINKENLIGHTS
Where we conclude that pretty can also be deadly, and we learn to read from LEDs

The Art of Transmitting Data
From Your Email to Loud Noises... Back and Forth
The Day Today
Sometimes, a Modem Is Just a Modem
Collisions Under Control
Behind the Scenes: Wiring Soup and How We Dealt with It
Blinkenlights in Communications
The Implications of Aesthetics
Building Your Own Spy Gear...
...And Using It with a Computer
Preventing Blinkenlights Data Disclosure-and Why It Will Fail
Food for Thought

CHAPTER 6: ECHOES OF THE PAST
Where, on the example of a curious Ethernet flaw, we learn that it is good to speak precisely

Building the Tower of Babel
The OSI Model
The Missing Sentence
Food for Thought

CHAPTER 7: SECURE IN SWITCHED NETWORKS
Or, why Ethernet LANs cannot be quite fixed, no matter how hard we try

Some Theory
Address Resolution and Switching
Virtual Networks and Traffic Management
Attacking the Architecture
CAM and Traffic Interception
Other Attack Scenarios: DTP, STP, Trunks
Prevention of Attacks
Food for Thought

CHAPTER 8: US VERSUS THEM
What else can happen in the local perimeter of "our" network? Quite a bit!

Logical Blinkenlights and Their Unusual Application
Show Me Your Typing, and I Will Tell You Who You Are
The Unexpected Bits: Personal Data All Around
Wi-Fi Vulnerabilities

PART III: OUT IN THE WILD
Once you are on the Internet, it gets dirty

CHAPTER 9: FOREIGN ACCENT
Passive fingerprinting: subtle differences in how we behave can help others tell, who we are

The Language of the Internet
Naive Routing
Routing in the Real World
The Address Space
Fingerprints on the Envelope
Internet Protocol
Protocol Version
The Header Length Field
The Type of Service Field (Eight Bits)
The Total Packet Length (16 Bits)
The Source Address
The Destination Address
The Fourth Layer Protocol Identifier
Time to Live (TTL)
Flags and Offset Parameters
Identification Number
Checksum
Beyond Internet Protocol
User Datagram Protocol
Introduction to Port Addressing
UDP Header Summary
Transmission Control Protocol Packets
Control Flags: The TCP Handshake
Other TCP Header Parameters
TCP Options
Internet Control Message Protocol Packets
Enter Passive Fingerprinting
Examining IP Packets: The Early Days
Initial Time to Live (IP Layer)
The Don't Fragment Flag (IP Layer)
The IP ID Number (IP Layer)
Type of Service (IP Layer)
Nonzero Unused and Must Be Zero Fields (IP and TCP Layers)
Source Port (TCP Layer)
Window Size (TCP Layer)
Urgent Pointer and Acknowledgment Number Values (TCP Layer)
Options Order and Settings (TCP Layer)
Window Scale (TCP Layer, Option)
Maximum Segment Size (TCP Layer, Option)
Time-Stamp Data (TCP Layer, Option)
Other Passive Fingerprinting Venues
Passive Fingerprinting in Practice
Exploring Passive-Fingerprinting Applications
Collecting Statistical Data and Incident Logging
Content Optimization
Policy Enforcement
Poor Man's Security
Security Testing and Preattack Assessment
Customer Profiling and Privacy Invasion
Espionage and Covert Reconnaissance
Prevention of Fingerprinting
Food for Thought: The Fatal Flaw of IP Fragmentation
Breaking TCP into Fragments

CHAPTER 10: ADVANCED SHEEP-COUNTING STRATEGIES
Where we dissect the ancient art of determining network architecture and computer's whereabouts

Benefits and Liabilities of Traditional Passive Fingerprinting
A Brief History of Sequence Numbers
Getting More Out of Sequence Numbers
Delayed Coordinates: Taking Pictures of Time Sequences
Pretty Pictures: TCP/IP Stack Gallery
Attacking with Attractors
Back to System Fingerprinting
ISNProber-Theory in Action
Preventing Passive Analysis
Food for Thought

CHAPTER 11: IN RECOGNITION OF ANOMALIES
Or what can be learned from subtle imperfections of network traffic

Packet Firewall Basics
Stateless Filtering and Fragmentation
Stateless Filtering and Out-of-Sync Traffic
Stateful Packet Filters
Packet Rewriting and NAT
Lost in Translation
The Consequences of Masquerading
Segment Size Roulette
Stateful Tracking and Unexpected Responses
Reliability or Performance: The DF Bit Controversy
Path MTU Discovery Failure Scenarios
The Fight against PMTUD, and Its Fallout
Food for Thought

CHAPTER 12: STACK DATA LEAKS
Where you will find a yet another short story on where to find what we did not intend to send out at all

Kristjan's Server
Surprising Findings
Revelation: Phenomenon Reproduced
Food for Thought

CHAPTER 13: SMOKE AND MIRRORS
Or how to disappear with grace

Abusing IP: Advanced Port Scanning
Tree in the Forest: Hiding Yourself
Idle Scanning
Defense against Idle Scanning
Food for Thought

CHAPTER 14: CLIENT IDENTIFICATION: PAPERS, PLEASE!
Seeing through a thin disguise may come in handy on many occasions

Approaching the Problem
Towards a Solution
A (Very) Brief History of the Web
A HyperText Transfer Protocol Primer
Making HTTP Better
Latency Reduction: A Nasty Kludge
Content Caching
Managing Sessions: Cookies
When Cookies and Caches Mix
Preventing the Cache Cookie Attack
Uncovering Treasons
A Trivial Case of Behavioral Analysis
Giving Pretty Pictures Meaning
Beyond the Engine...
...And Beyond Identification
Prevention
Food for Thought

CHAPTER 15: THE BENEFITS OF BEING A VICTIM
In which we conclude that approaching life with due optimism may help us track down the attacker

Defining Attacker Metrics
Protecting Yourself: Observing Observations
Food for Thought

PART IV: THE BIG PICTURE
Our legal department advised us not to say "the network is the computer" here

CHAPTER 16: PARASITIC COMPUTING, OR HOW PENNIES ADD UP
Where the old truth that having an army of minions is better than doing the job yourself is once again confirmed

Nibbling at the CPU
Practical Considerations
Parasitic Storage: The Early Days
Making Parasitic Storage Feasible
Applications, Social Considerations, and Defense
Food for Thought

CHAPTER 17: TOPOLOGY OF THE NETWORK
On how the knowledge of the world around us may help track down rogue attackers

Capturing the Moment
Using Topology Data for Origin Identification
Network Triangulation with Mesh-Type Topology Data
Network Stress Analysis
Food for Thought

CHAPTER 18: WATCHING THE VOID
When looking down the abyss, what does not kill us makes us stronger

Direct Observation Tactics
Attack Fallout Traffic Analysis
Detecting Malformed or Misdirected Data
Food for Thought

CLOSING WORDS
Where the book is about to conclude

BIBLIOGRAPHIC NOTES

INDEX