Thursday, August 17, 2017

Stealing the Network


I recently re-read Stealing the Network, How to Own the Box. Written almost 10 years ago I'm impressed as to how it still is super up to date. Describing fictional attacks to websites, networks, and even printers, it proves that no system is safe enough. The book also shows how dangerous it can be not restricting access and patching our systems and devices.

Laws of Security

One interesting aspect from the book is the discussion of the Laws of Security. They can summarized as:
  • Client-side security doesn’t work;
  • You cannot securely exchange encryption keys without a shared piece of information;
  • Malicious code cannot be 100 percent protected against;
  • Any malicious code can be completely morphed to bypass signature detection;
  • Firewalls cannot protect you 100 percent from attack
  • Any intrusion detection system (IDS) can be evaded;
  • Secret cryptographic algorithms are not secure;
  • If a key isn’t required, you do not have encryption—you have encoding;
  • Passwords cannot be securely stored on the client unless there is another password to protect them;
  • In order for a system to begin to be considered secure, it must undergo an independent security audit;
  • Security through obscurity does not work
And how much of that affects developers? Let's see.

Relevant Info for Developers

I recommend that developers read this book as it provides concrete examples on common threats we face today in our applications:
  • sql injection
  • social engineering
  • exploit information
  • malware, trojans, viruses and worms
  • honeypots

The book also presents valuable knowledge (despite superficial) to topics like:
  • network reconnaissance
  • logging best practices
  • disassembly
  • tracking
  • network problems

Conclusion

Security and technology are moving on a fast pace. But while some attacks get more sophisticated, old techniques are being used over and over again. Developers who are not concerned about how secure their code is should stop and reflect how dangerous that behaviour is for them and for their companies.

Security is hard and shouldn't be neglected. The threats are real and happening all the time.

See Also

Security and development: how much is being done?
Security is only as strong as the weakest link
The Laws of security
Security and Ethics
Privacy and Ethics
Security Boundaries
Integrated security vulnerability alerts on GitHub - Why it matters

For more security posts on this blog, please click here.