07 May 2020

Linux Firewalls by Michael Rash

Linux Firewalls: Attack Detection and Response with iptables, psad, and fwsnort is a quite interesting book about iptables features to be configured as an UTM device through its integration with Snort specific iptables plugins for log correlation, traffic access control.
This book has many real examples and detailed configurations. I could not test those configurations in a lab so I cannot see them running, but expect this tool and its way to be configured evolve with time.

In my humble opinion, tools detailed in this book are useful for home usage and SOHO environments only able to afford free open source tools. For more exigent corporate environments, I feel this solutions loosely integrated, with a difficult maintenance if your network is big and heterogeneous  and besides nowadays there are many commercial tools with a reduced price for almost every firm.

I felt more interesting explanations given by author for many networks attacks. Those explanations are very detailed but easily understandable. Nevertheless, most part of those attacks are known at the public domain for long time, so hardened security engineers won't learn anything new here.

Summarizing: This book is correct but only really useful for those who are making their first steps in security engineering world.  

20 April 2020

"Bitcoin for the befuddled" by Conrad Barsky and Chris Wilmer

Bitcoin is one of the hottest topics today. It has gone further than a technological oddity to an evolutionary lap for finances and a matter of discussion for politicians. But understanding Bitcoin is hard. Its concepts are new and its foundations are mathematical and technological so average people have an hard time trying to understand what Bitcoin is based on.

The main good point of this book is that it tries to follow the way described by its title. You are not supposed to have any technical background to read this book, as it explain things for average people using usual day concepts and examples. Even using comics and funny drawings author are able to make easy really complex concepts that other books try to explain overwhelming you with math formula.

Sure, your are not going to develop a bitcoin based app or become the next digital billionaire just reading this book, but at least you'll lose your fears and start to understand what all this fuss is about and how it can change your life in the future. It is a light reading that you can end in just a weekend.

So, this book is quite recommended for everybody who wants to learn quickly the very basics of Bitcoin, both just to understand media news about cryptocurrencies and as a first step of further learning about this topic.

15 April 2020

Programming in Python 3 by Mark Summerfield

Python is an extremely powerful but easy to learn programming language. If you have prior knowledge of any programming language you can learn Python in just few hours and you can be a proficient developers in just some days.

However this simplicity can be dangerous too if you stay at the basics and don´t go further into this wonderful language. It's easy to keep using it just as an script language and think that that is all with Python. But actually Python is complete development language that you can use with almost anything you would need with an ease and expressiveness not easy to find in any other language.

This books focus in Python 3, the new generation of this language that now is its standard. Such an an evolution lap was not able to offer full backwards compatibility with former Python 2.7 branch. But actually this books gives a good guidance to promote your Python code to 3 branch. Book's content is extremely complete covering from basics (flow control, strings, files) to advanced topics (decorator, context manager, functors, abstract classes and metaclasses and a huge etc). Those topics will prove to be very useful to help you to translate easily mental concepts to code. All those concepts are explained with clean code, well commented and easy to understand.

As a summary, this is a good book both for newbies who want to start from the begining and for those with good expertise that want to get full advantage from Python. Besides, once finished this book is a good language reference to keep at hand on your bookshelf.

08 April 2020

Practical Lock Picking by Deviant Ollam

Security engineering ranges many fields. One of those fields is physical security. Historically one of the main pillars of physical security are locks, like you can find at doors, safes, drawers or treasure chests. Knowing how they work and how they can be subverted to make them open should be part of any security engineer expertise. Too often, the access card to the super-critical-Data-Processing-Center is kept inside a mere office drawer with a simple waffer lock.

Practical Lock Picking is written by a professional lock-picker in a clean and simple manner. Currently it focuses in to lock kinds: pine and waffer. Actually that covers 90% of doors and drawers nowadays. Author starts by describing both locks manufacturing process to enumerate their usual manufacturing defects, defects that can be used make them open. Afterwards, book describes usual methods and tools to make those locks open. Everything is plenty of diagrams to explain visually every step.

Although, author is a professional he is aware that his potentials readers are newcomers to this topic, so explanations are very detailed and he makes a real effort to put himself in a newbie feet. So he offers advice about how to start a collection of training locks and lock-picking locks, at a low initial cost and following a progressive difficulty when trying new locks.

Overall, this book is good and I find it a must have for any security engineer bookshelf.

06 April 2020

Security Engineering by Ross Anderson

Security Engineering by Ross Anderson is likely the best security book I've read so far.

Whereas other books explain from a technical point of view exclusively, Anderson focus on concepts establishing the mental framework to guide a security engineer along his professional career. So he does not refer to any specific firewall brand, programming language or operating system, but to design successes and failures along Information Technologies and Communications history. This is so enriching because dominant vendors marketing try to convince you that you only need to invest vast amounts of money to buy latest tech to get your information assets secure. However for Anderson technology is just a tool to perform a proper assess and design, from a mental framework based on comprehensive concepts independent from the latest tech state of art.

Along this book, these concepts are assessed, applying them to every information security field comparing them with historical events. So, many topics are covered. Topics so interesting and different like psychology, ergonomics, cryptography, access control policies to information assets, economics impact on security, integrity controls, security in shared data environments, intellectual property, terrorism and a quite long etc... 

The author's long expertise gives many examples to book from banking, defense industry and intelligence sector (of course, those sectors have been the great developers of current information security state of art). In those examples you get detailed descriptions ranging from IFF systems (Identify-Friend-or-Foe) to command and control military organizations; from the evolution of nuclear missiles protocols to improvements of electronics to spy electromagnetic emissions.

Besides, this books is going to stay relevant on your shelf for long as happens with general topics covered in it. This book is not one of those that end in your basket after some years.

All that makes Security Engineering a critical book for any security engineer and a good investment worth every penny you use to buy it.

20 February 2020

The Kerckhoffs's principle

Auguste Kerckhoffs was a dutch linguist that taught german language at Paris Commercial Studies School for the second half of XIX century. However, he is actually known for some essays he published at french Military Sciences Magazine. These essays evolved military cryptography as it was used so far. As a practical man, Kerkhoffs proposed 6 main principles to design a safe cryptographic system:

  1. If system is not theoretically safe, at least it should at be safe in practice.
  2. System effectiveness cannot depend of keeping its design details secret.
  3.  System's secret key should be easy to remember in order to avoid having it in a written note.
  4. Cryptosystems output should be alphanumeric.
  5. System should be able to be managed by an individual.
  6. System should be easy to be operated.

After a century, the whole 6 Kerckhoffs principles are still valid.

The first one is a main foundation of current cryptosystems. Those cryptosystems rely on such huge key spaces to make impossible a brute force attack against it, at least with technical resources available nowadays. The thing is current cryptosystem's keys can be theorically found by brute force attack (so cryptosystems are not theoretically safe), but doing so needs so vast amount of technical resources that in practice it is not viable (so cryptosystems are safe at practice). When technology gets a point were available computation horsepower make possible to break a key, then everybody increases those keys length to make a brute force attack harder to a point to make it not viable again.

Second principle has demonstrated its truth many times in history. Keeping secrets is hard. It is hard enough keep a cryptosystems key secret, but keeping secret its design for a long time is almost impossible, more nowadays in an interconnected world that tends to share data instead of hidding them. Actually this principle is what is mainly known as "The Kerckhoffs Principle". For the entire Cold War this principle was entirely ignored what in the end it has been generally accepted this principle is right. From that point on, cryptosystems design has been disclosed even opening to public proposals for its development (as happened with AES standard design). Opening those efforts has been a good way to include more thinking minds in standards and protocols design.

You already know what we're talking about at third principle. If your a security engineer you've surely faced a lot of wrong security policies to make users remember complex passwords... only to find out that users are keeping their hipercomplex passwords written at post-it stuck next to their computers.

4th, 5th, 6th principles make security engineers admit that human nature is not perfect when facing a new cryptosystem design. Humans are alphanumeric beings, we think visually and we find difficult imagine things beyond our know three dimensions.

A cryptosystem that does not take in count those factor will probably fail, because its human operator will no doubt take shortcomings and make tricks to overcome complexity but at the cost of reducing system entropy and with it its effectiveness. You can find an example in the Second World War, when lazy Enigma operators put its dials at predictable positions to avoid the hassle of changing them frequently as they have been advised. That thing only made easier their job for english criptoanalists at Bletchley Park.

If your are a security engineer, keep the second principle has a summary of this article: your system cannot depend of its design secrecy. Humans are not perfect and chances are that your design won't stay secret for long, not in this internet world.