Security Engineering - Part 2

This page contains new material and links for part 2 of my book `Security Engineering'. The fourteen chapters there cover a range of security technologies from multilevel secure systems through alarms and tamper-resistance to emission security and copyright management mechanisms. For reference, here are the table of contents and the bibliography. The errata for the print version are at the end.

New material and links

Privacy: In chapter 8, I talk about privacy risks, and in particular the fact that most privacy compromises result from the abuse of authorised access by insiders. This continues to be a growing issue. A recent example is a scare in the UK about tax clerks looking up the files of celebrities, and even using their systems to harrass ex-spouses.

This is a hard problem, and not one that was created by computers. In the old days, if you kept your bank account at the Oxford branch, then only the Oxford staff had easy access to it. This made it harder for a London-based private eye to get your account details via his source in the bank's Kensington branch, but more or less ensured that there would be occasional abuse by friends (and enemies) of customers who worked at the bank. This was controlled by cultural means - old fashioned banks had strong value systems and imbued their staff with a strong sense of what was and what was not `done'. A modern system in which two thousand minimum-wage call-centre staff in Newcastle deal with enquiries from Oxford (and everywhere else) makes local abuse less likely (except for customers who live in Newcastle), but makes it much more likely that there will be someone selling information to private detectives.

Technical solutions I describe include the design of compartmented mode systems, where operational staff have access to only a small part of the whole database , and inference control, which you can use to see to it that analysts have access to statistical information only. A radical, non-technical solution is to farm out the work overseas. For example, some US medical records are transcribed from doctors' dictaphones to case files by clerks in India.

Nuclear Command and Control: More has emerged about command and control since my book went to press. According to US doctrine, the detonation of a nuclear weapon requires three things: authorisation, environment and intent. The authorisation will typically be a code of the type discussed in chapter 12; `environment' might mean sensing a unique environmental condition, such as the zero gravity following the release of an air-drop bomb or the 20,000 g experienced by an artillery shell when it is fired; and `intent' means a command from the officer in charge of the launch. This too is heavily coded to ensure that background noise won't either prevent a weapon being armed deliberately, or allowing it to be armed by accident. That at least is the theory. As for the practice, it seems that for many years the USA used the authorisation code of all zeros for convenience; while other countries, such as Pakistan, have had a very laid-back approach that come commentators consider to be dangerously irresponsible.

Hardware Security: In chapter 14, we talk about a number of ways of probing out information from smartcards and secure microcontrollers. The state of the art has advanced quite a lot since the book went to press, mostly through the development of optical probing and optical fault induction techniques.

Meanwhile, outside the attack labs, the main hardware security threat remains the fact that people throw away hard disks containing all sorts of sensitive information. An interesting study has been published by Simson Garfinkel, who collected 158 used drives, found that 129 of them worked, and extracted significant personal information from 49 of them. One even had a year's worth of transactions with account numbers from an ATM in Illinois. Peter Gutmann has a good paper on this; as disk drives become `smarter' the only way to be sure that data have been deleted from a derice is to physically destroy it.

Intelink: Chapter 16 refers to secure intranets. There is a book Top Secret Intranet (How U.S. Intelligence Built INTELINK - The World's Largest, Most Secure Network by Frederic Thomas Martin. It also mentions Venona, for which (as I described in the page for section 1), there is now a home page and at least one book.

Furby: I reported on p 310 that the NSA banned Furby toys in the belief that they could remember and randomly repeat things said in their presence. The commander at the Norfolk Naval Shipyard ordered anyone seeing a Furby to seize it and its owner as a security violation. But subsequently the toy's maker claimed that it had been libelled; that it contained no recording device and that its utterances, although random, were preprogrammed. When even the NSA can't tell whether a common object contains a recording device, that should give some pause for thought. And as more and more everyday objects acquire both computational and communications cability, where will it end? I have been asked by government contractors if we can think of any way, short of physical search, of determining whether an individual passing through a door is carry some kind of recording equipment; we've not come up with any ideas that stood scrutiny.

t00lz: On page 369 I mentioned rootshell.com as a source of exploit tools. This site appears to be on the wane; try sites like www.packetstormsecurity.com or neworder.box.sk.

Errata

p 148 line 3: `Compartmented mode' not `Comparted mode'

p 153 Para 5 line 2: `medicine' not `meducine'

p 153 Para 5 line 3,4: `thus won't appear in their normal medical record' not `thus appear in their normal medical record'

p 154 sec 7.5.4 line 4: `to write managed to' not `to write-manage to'

p 158 second last line: `he' not `He'

p 166 second paragraph: `for each object c, y(c) for c's company and x(c) for c's conflict-of-interest class' not `for each client c, y(c) for c's company and x(c) for c's competitors'

p 166 the *-property should end `and y(c) not equal to y'(c)', not `and y(c) = y'(c)'

p 175 precise protection means that D = P', not that D = P

p 184 second paragraph should refer to chapter 7, not chapter 8

p187 and 188: I got debits and credits the wrong way round in my d description of double-entry bookkeeping. As they say in accounting school, `debit the receiver, credit the giver'.

p 188 para 3 line 5: `into a savings' not `into as savings'

p 194 sec 8.3.1: The I in SWIFT stands for Interbank, not International (bank insiders render it as Society For International Free Travel, which may be the reason for the confusion :-)

p 205 Research Problems para 3 line 3: `such as HP's authorization server' not `such HP's authorization server'

p 207 para 1: `International Atomic Energy Agency' not `Authority'

p 222 sec 10.4 second last para second line: `styli' not style'

p 226 sec 10.4.2.1 line 5: `smartcard will be used' not `smartcard will used'

p 229 sec 10.5 para 2 line 7: `personnel don't exist' not `personnel doesn't exist'

p 232 para 1: `International Atomic Energy Agency' not `Authority'

p 234 end of para 3: `if the arbitrator wrongfully finds in favor of the cheating party' not `if the arbitrator wrongfully finds in favor of the cheated party'

p 236, sec 11.5: `Permissive Action Links' is the new, user-friendly rendition of the acronym that used to stand for `Prescribed Action Links'

p 236, 5th bullet: `photoacoustic' -> `photochromic'

p 263 para 3: add comma after `simultaneously presented on-screen'

p 266 footnote: my Polish translator, Piotr Carlson, points out that the town formerly known as Breslau in Germany is now Wroclaw in Poland - so there is now a Polish claim on this history as well!

p 286 sec 14.5.2 para 3, line 7: `output the plaintext version' not `output the plaintext versions'

p 288 line 1: `circuits for detecting whether a fuse is open' not `the circuits for detecting whether a circuit is open'

p 288 sec 14.6 para 2 line 1: `the opponent' not `opponent'

p 299 para 2 line 1: `Common Criteria' not `Common Critera'

p 306 sec 15.2 para 2, last line but 1: `United States' not `Unied States'

p 309 second bullet line 2: `But it is', not `But is'

p 328 line 7: `torpedoes' not `torpedos'

p 330 sec 16.3.3.4, line 3: `be' not `by'

p 334 fifth line from end: `the jammer transmits' not `the radar transmits'

p 354: the home location register keeps pointers to the location of all locally-issued SIMs, while the visitor location register tracks all SIMs currently registered on the network. Thus where a phone has not roamed, the local HLR points to the local VLR, and where it has roamed, the HLR of the issuer network points to the VLR of the network where it is currently registered (and vice versa). Nowadays many networks have a number of VLRs (perhaps one for each message switching centre) and some have multiple HLRs. The standard (but expensive) reference is Walke.
p 355 line 3: `Figure 5.10' not `Figure 5.9'
p 355 the median number of challenges required to extract a Comp128 key is now about 60,000
p 370 sec 18.2.1 last para: `three bytes' not `three bits'
p 373 first para: my definition of `open relay' is non-standard: an SMTP open relay is one that allows use by "transit" traffic - messages which neither come from nor go to email addresses for which that SMTP server is intended to provide service
p 374 sec 18.3 line 1: `It might seem' not `It might seen'
p 374 sec 18.3.1 para 2: `as noted in section 18.2.2.3', not section 18
p 387 last line: `Genuine' not geuine'
p 393 line 8: `your gas and electricity suppliers' not `you gas and electricity suppliers'
p 394 sec 19.3.1 line 2: `gets' not `get'
p 396 sec 19.3.4 para 2 line 3: `and MasterCard' not `amd MasterCard'
p 398 para 2 line 2: `main recources' not `main resources'
p 399 bullet 3 line 6: the equation should read KCS = h(K0, NC, NS)
p 399 last para: the name TLS is now an official IETF name, not just a Microsoft name
p 400 last para second line: `the merchant server' not `the server'
p 404 para 4 line 12: `specialized systems that' not `specialized system that'
p 406 second last para line 5: `changing' not `change'
p 409 line 1: `gauge' not `guage'
p 413 first quote: `and the Party of the Future' not `and Party of the Future'
p 430 second line from end: `Figure 20.4' not `Figure 20.5'

Thanks to Peter Chambers, Nick Drage, Ben Dougall, Paul Gillingwater, David Håsäther, Konstantin Hyppönen, Garry McKay, Avi Rubin, Nick Volenec, Randall Walker, Keith Willis, Stuart Wray and Stefek Zaba.

Return to Ross Anderson's home page