Silence on the Wire

PRObooks

Silence on the Wire

On rare occasions, a computer book breaks away from thesafe harbor of rehashed subject matter. Instead of writing about the same mainstreamtopics that countless other professionals have revisited and revised, authorMichal Zalewski, a self-taught security researcher, provides an out-of-the-box,thought-provoking book that escapes the everyday standard security practicediscussions of firewalls and social engineering. Above all else, Silence on the Wire showcases Zalewski sknack for computing machines, mathematics, and vulnerability identification.

There s a reason this is not a mainstream book. Most ofthe ideas presented by Zalewski have yet to be developed into real threats. However,as many computer security professionals know, it s only a matter of time beforean idea expresses itself into an actual reference implementation that can thenmutate into a whole new category of threats. Zalewski stirs up the hornet snest with several of the alarms he raises, but most would take so much effortthat the most effective solution could short-circuit to a blunter conclusion. Forexample, there was a story in the news about an unfortunate car owner. His carfeatured biometric locks that could only be disabled with the scan of his thumb.Rather than spending an inordinate amount of time developing a biometricscanning hack, car thieves hacked something else more immediate and accessible:the car owner s thumb. This thought crossed my mind more than once whilereading about some of the more obtuse, elaborate schemes that were presented inthe book.

Silence on the Wirestarts with the keyboard interface and moves through the routers to thetopology of the network. For example, the first few chapters consider theproblem of pseudorandom number generators (PRNGs) and their securityimplications with standard I/O. Zalewski cites the 2001 work of Dawn XiaodongSong, David Wagner, and Xuqing Tian and their research on the timing analysisof keystrokes and timing attacks on SSH, placing these findings into a greatercontext of future security threats by merely sniffing electrical pulses emittedfrom pressed keys. Another example of this electronic pulse collection andanalysis idea is the consideration of electromagnetic radiation (EMR) combinedwith the Transient Electromagnetic Pulse Emanation Standard (TEMPEST). Thisidea captures information displayed on screen via a highly sensitive radio thatpicks up the EMR signatures for later playback and interpretation. Otherelectronic indicators such as Quadrature Amplitude Modulation (QAM) and theblinking pattern of light emitting diodes (LEDs) on a hub or router make theirway into the book, as well.

Part III branches out to the wild, wild Internet. Readersalready concerned about the insecurity on the information superhighway will bedownright paranoid after reading about passive fingerprinting and the so-calledrandomness that once graphed out don t look so random after all. Each chaptercloses with a Food for Thought section that evolves the main ideas intoscenarios that posit how such ideas could be used in the future.

Silence on the Wirealso provides a glimpse of what s next in the increasingly sophisticated battleof security practices and unauthorized data capture countermeasures. This isthe stuff of spy novels and CIA and NSA legend. In fact, one has to wonderabout the number of concepts offered in the book that the NSA has alreadymatured, or if perhaps the author had in fact smuggled some of the more cleverand/or way-out ideas from those very agencies and shared them with us meremortals.

Mike Riley

Rating:

Title: Silence on the Wire: a Field Guide toPassive Reconnaissance and Indirect Attacks

Author: MichalZalewski

Publisher: NoStarch Press

ISBN: 1-59327-046-1

Web Site: http://www.nostarch.com/frameset.php?startat=silence

Price: US$39.95

Page Count: 312pages